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Dear Readers, 


The BSD team and | are delighted to declare a new coming issue of BSD 
Magazine. We completed this issue to include a large pile of tutorials and 
practice rich articles for you to construct up your open-source skills and 
cognition. This time, we publish more on Infrastructure Management, and | 
hope you'll like this batch of articles. | would like to thank the authors of this 
BSD issue as all of them did great work and wrote insightful, high-level and 
technical articles in a very short time. Thank you. Also, | would like to mention 
here that those who did not write for this issue are currently working on the 
next issues of the BSD magazine and writing the articles that will be devoted 
to security and cloud computing. Thank you all for your time and willingness 
to help. I’ve started with this BSD issue after a long time break and | am 
happy that | can meet so many open-minded, knowledgeable, hard-working 
and trustworthy people. | received and | am still receiving many emails from 
you, and you make my day everytime | go through them. Write anytime. Feel 
free to ask any questions regarding the BSD Magazine or send your opinion 
on what we can do to make it better. Working with you was a great pleasure. 


Our common ultimate goal was and still is to supply our readers with the 
Knowledge and skills they need in their professional careers. We are happy to 
take your suggestions of future articles and tutorials what you need most to 
see in Our magazine, and thus along. 


Let's take a look at what you will encounter in this issue of BSD. Our experts 
will instruct you on how to deal with Virtual Firewall and how to install 
OPNsense on Bhyve. Thereafter, we will be heading to OpenBSD as a 
Gateway Firewall for SOHO and Enterprise Networks. In this issue, you will 
read more on SmartOS Containers. Last but not least, we’ll share more 
concerning a FreeBSD Server Management with Ansible, Active Directory 
with Samba and BIND on FreeBSD, OPNsense, and much more. Make sure 
to check out this issue for more articles and tutorials. 


lf you want to start a real life open-source journey with our rich-content 
publications, or to get in contact with our team, feel free to write to us. 


Best regards, 


Ewa & The BSD Team 


PS. As always, we invite other experts, companies, reviewers for 
collaboration for future work and issues. 
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News a 
BSD Team 


This column presents the latest news coverage of events, product 


releases, and trending topics. 


FreeBSD 
Active Directory with Samba and BIND on FreeBSD 4 


Bob Cromwell 

Bob will advise you on how to run an Active Directory service on 
FreeBSD. The goal is to explain the new or surprising parts to people 
from the UNIX world. The Samba domain provisioning itself is 
surprisingly easy and is documented nicely on the Samba website. 


FreeBSD Server Management with Ansible 8 
David Rodriguez 


David will mainly focus on Ansible’s key features and setup, how 
Ansible fits into the modern DevOps movement and some of the 
decisions you will make in designing a FreeBSD server infrastructure. 
Using FreeBSD as a start, the large number of ports and packages 
available along with a tool like Ansible enables you to build a 
large-scale infrastructure quickly. 


Taking a Look at SmartOS Containers 13 
Carlos Antonio Neira Bustos 

There are a lot of remarkable things to do with SmartOS as a home 
server. For instance, run containers for development or production in 
your company, for speed up development using containers, game 
servers etc. Carlos will start with SmartOS containers in his article. 


OpenBSD 

OpenBSD as a Gateway Firewall for SOHO and Enterprise 
Networks 21 
Antonio Francesco Gentile 

In Antonio’s article, you’ll see that OpenBSD makes possible the 
creation of a Gateway Router Firewall and a multi VPN concentrator. 
The level of security it can give is very high, both for SOHO and 
enterprise infrastructures; therefore, OpenBSD proves to be a great 
alternative to using a dedicated and expensive hardware equipment, 
plus it's open-source. 


OPNsense 

OPNsense 38 
Abdorrahman Homael 

Abdorrahman in his article explains what OPNsense is and presents 
more about OPNsense vs. PFsense. He describes how to deal with 
Virtual Firewall, how to install OPNsense on Bhyve, and what 
OPNsense Mandatory Configuration is. 


Meet Unix Bloggers 


Kill a long running process in Unix 42 
Vishal Lambe 

Shell From vi 46 
Tom Ryder 

Interview 

Interview with Benjamin Wright 50 


Ewa & The BSD Team 


Column 
Infrastructure Management 52 
Randy Ramirez 


BSD Certification 


The BSD Certification Group Inc. 
(BSDCG) is a non-profit organization 
committed to creating and 
maintaining a global certification 
standard for system administration 
on BSD based operating systems. 


@ WHAT CERTIFICATIONS ARE AVAILABLE? 


BSDA: Entry-level certification suited for candidates 
with a general Unix background and at least six months of 
experience with BSD systems. 


BSDP: Advanced certification for senior system administrators 
with at least three years of experience on BSD systems. 
Successful BSDP candidates are able to demonstrate 

strong to expert skills in BSD Unix system administration. 


© WHERE CAN | GET CERTIFIED? 


We're pleased to announce that after 7 months of 
negotiations and the work required to make the exam 
available in a computer based format, that the BSDA 
exam is now available at several hundred testing centers 
around the world. Paper based BSDA exams cost $75 USD. 
Computer based BSDA exams cost $150 USD. The price of 
the BSDP exams are yet to be determined. 


Payments are made through our registration website: 
https://register.bsdcertification.org//register/payment 


@O WHERE CAN | GET MORE INFORMATION? 


More information and links to our mailing lists, LinkedIn 
groups, and Facebook group are available at our website: 
http://www.bsdcertification.org 


Registration for upcoming exam events is available at our 
registration website: 
https://register.bsdcertification.org//register/get-a-bsdcg-id 


NEWS 


Qt 5.7.1, KDE Frameworks 5.31 Available 

The KDE-FreeBSD team announced that Qt 5.7.1 and KDE Frameworks 5.31 in the official FreeBSD ports tree is available. This 
release has one new KDE Framework, Kirigami 2. It also messages the Qt4 and Qt5 ports. And, it adds misc/qtchooser which 
allows developers and sysadmins to manage multiple concurrent Qt installations. They advise users to consult the UPDATING entry 
for 20170218. 


https://freebsd.kde.org/ 


Rust-based Redox OS 0.0.6 Released 


Redox OS, a microkernel OS written in Rust, has just released version 0.0.6 which includes bug fixes and an update to Rust. 
httos://github.com/redox-os/redox/releases/tag/0.0.6 


Unix History Repository on Github 

The history and evolution of the Unix operating system is made available as a revision management repository, covering the period 
from its inception in 1970 as a 2.5 thousand line kernel and 26 commands to 2017 as a widely-used 27 million line system. The 
1.1GB repository contains about half a million commits and more than two thousand merges. 

The repository employs a Git system for its storage and is hosted on GitHub. It has been created by synthesizing with custom 
software 24 snapshots of systems developed at Bell Labs, the University of California at Berkeley, and the 386BSD team, two 
legacy repositories, and the modern repository of the open-source FreeBSD system. In total, about one thousand individual 
contributors are identified, the earlier ones through a primary research. 

The data set can be used for empirical research in software engineering, information systems and software archaeology. 


https://github.com/dspinellis/unix-history-repo 


BSDCan 2017 


A BSD conference will be held in Ottawa, Canada. It will be a technical conference for people working on and with 4.4BSD based 
operating systems and related projects. 
It includes: tutorials: 7-8 June 2017 (Wed/Thu) and conference: 9-10 June 2017 (Fri/Sat) trials. 


httos://www.bsdcan.org/201 7/ 


The Enviable Pedigree of UNIX® AND POSIX® 

But today’s breakthroughs would not have been possible without what came before them—a fact we sometimes forget. Mainframes 
led to personal computers, which gave way to laptops, then tablets and smartphones, and now a myriad of gadgets. 
https://blog.opengroup.org/2016/08/1 7/the-enviable-pedigree-of-unix-and-posix/ 


AsiaBSDCon 2017 


March 9 - 12, Tokyo University of Science, Tokyo, Japan. 

AsiaBSDCon is a conference for users and developers on BSD based systems. The conference is for anyone developing, deploying 
and using systems based on FreeBSD, NetBSD, OpenBSD, DragonFly BSD, Darwin and MacOS X. AsiaBSDCon is a technical 
conference with an aim of collecting the best technical papers and presentations available to ensure that the latest developments in 
our Open-source community are shared with the widest possible audience. 


https://2017.asiabsdcon.org/ 


EuroBSDCon 2017 

September 21 - 24, 2017, Paris, France 

EuroBSDCon is the premier European conference on the open-source BSD operating systems, attracting about two-hundred and 
fifty highly skilled engineering professionals, software developers, computer science students, professors, and users from all over 
Europe and other parts of the world. The goal of EuroBSDcon is to exchange knowledge about the BSD operating systems, 
facilitate coordination and cooperation among users and developers. 

https://2017.eurobsdcon.org/ 


Community BSD Events Website 
The BSD Events website was created for a complete up to date list of all events for the entire BSD community, including 
conferences and other get-togethers. Dates and locations for upcoming BSDCG exam events are also included. 


www.bsdevents.org 


Active Directory with Samba 
and BIND on FreeBSD 


| was working on some projects that needed an 
Active Directory server. These were proof-of-concept 
projects, figuring out how to integrate Linux and BSD 
servers with Windows desktops and, potentially, 
some Windows servers. That means using Active 
Directory. 


Here is how to run Active Directory service on FreeBSD. 
The goal is to explain the new or surprising parts to 
people from the UNIX world. The Samba domain 
provisioning itself is surprisingly easy and is documented 


nicely on the Samba website. | have much more detail on 


my site if you want to go deeper into the whole project. 
What is Active Directory? 


Active Directory or AD is Microsoft's bundle of DNS, 
LDAP and Kerberos. BIND is the Internet-standard DNS 
server, and Samba 4 includes LDAP and Kerberos, so we 
have the needed pieces. Other Microsoft-specific 
services are common in AD environments like MS-SQL, 
Exchange, AD Certificate Service, etc., but Microsoft is 
adamant about the AD server running nothing but AD. 


Samba uses the Heimdal implementation of Kerberos. It 
will be compatible with the original MIT code, or with 
Microsoft's version. Windows systems, both clients and 
Kerberized services, won't realize that they aren't 
communicating with a native Microsoft Active Directory 
server. 


Getting Started — FreeBSD on Raspberry Pi 


The goal was experimenting and developing, not 
deployment with enterprise-scale performance. So, | 
used RaspBSD, a FreeBSD image for the Raspberry Pi 
and other very low cost/size/power platforms. 


The first Samba-specific requirement is adding lines 
to /etc/hosts to map each |IPv4 and IPv6 address to the 
hostname and FQDN. 


| also added syslog, configuring it to send nothing to files 
and everything across the net to a log collector. 


Stumbling Block #1 


| encountered my first problem when | added BIND and 
Samba. The RaspBSD repository has the following 
packages; bind99, bind910, and bind911, providing BIND 
version 9.9, 9.10, and 9.11, respectively, 

and samba42 and samba43 providing Samba 4.2 and 
4.3. But you can't install the very latest of both! 


Samba uses Aynamically loadable zones (or BIND9_DLZ) 
accessible through the AD schema. Samba needs the 
appropriate shared library for the installed version of 
BIND. Samba 4.3 only supports BIND 9.10, BIND 9.11 
requires at least Samba 4.5.2. So, it 

was bind910 and samba43. 


Stumbling Block #2 


The second problem was very BSD-specific. The 
RaspBSD image of FreeBSD has NFSv4 ACLs enabled 
within the superblock of the root file system. If a flag is 
set in the superblock, it is used at initial mount time 
regardless of /etc/fstab contents. 


# mount | grep s2a 


/dev/mmcesd0s2a on / (ufs, local, noatime, journaled soft-updates, 
nfsv4acls) 


Samba used to support NFSv4 ACLs, as long as you 
specified that during the initial deployment. However, 
Samba presently requires POSIX ACLs to 

protect /var/db/samba4/sysvol/. The superblock must be 
modified. | did it interactively after manually stopping 
almost all processes: 


# sync 

# Sync 

# mount -f -u -o ro / 

# dumpfs / | grep flags 


# tunefs -N disable / 


tunefs: NFSv4 acls cleared 

tunefs: filesystem reloaded 

# tunefs -a enable / 

tunefs: POSIX 1.e ACLs set 

tunefs: filesystem reloaded 

# dumpfs / | head -22 

magic 19540119 (UFS2) time Fri Feb 17 15:42:56 2017 
superblock location 65536 id [ 5887d304 7cce2791 | 
ncg 130° size 7787248 blocks 7540727 

bsize 32768 shift 15 mask Oxffff8000 

fsize 4096 shift 12 mask Oxfffff000 

frag 8 ~— shift 3 fsbtodb 3 

minfree 8% optim time symlinklen 120 

maxbsize 32768 maxbpg 4096 maxcontig4 contigsumsize 4 
nbfree 883015 ndir 5571 mnifree 3844183 nffree 471 

bpg 7493 fpg 59944 ipg 30080 unrefs 0 

nindir 4096 inopb 128 maxfilesize 2252349704110079 
sbsize 4096 cgsize 16384 csaddr 1920 cssize 4096 

sblkno 24 = cblkno 32 = iblkno 40 = dblkno 1920 

fmod 0 clean 0 


cegrotor 0 ronly 0 


metaspace 2392 avefpdir 64 avegfilesize 16384 


FreeBSD 


fsmnt / 


volname swuid 0  providersize 7787248 
cs[].cs_(nbfree,ndir,nifree,nffree): 


(1635,451,25991,4) (15,441,24276,7) (57,440,25955,109) 
(190,443,23526,23) 


(1949,30,23230,41) (2266,150,245 14,113) 
(4308,356,26422,58) (3137,218,27997,61) 


# reboot 
Back on Track 


After that, things went smoothly. | added records on the 
BIND master server to define the new FreeBSD system, 
including the peculiar-looking SRV or Service records. 
The zone file contained the following: 


[... lines deleted ...] 


freebsd IN A 10.1.1.235 


freebsd IN AAAA fc00::ba27:ebff:fe41:b9ae dc IN CNAME 
freebsd ;;; service. protocol. DNSdomain IN SRV priority weight 


port target Idap. tcp.corp.example.com. IN 

SRV 00389 freebsd Idap. udp.corp.example.com. IN 
SRV 00389 freebsd _kerberos. tcp.corp.example.com. IN 
SRV 00 88 freebsd _kerberos. udp.corp.example.com. IN 


SRV 00 88 freebsd kpasswd. tcp.corp.example.com. 
IN SRV 00 464 freebsd kpasswd. udp.corp.example.com. 
IN SRV 00 464 freebsd 


[... lines deleted ...] 


- 
™ . 
— 
— 
~.s 
~ 
~~ 
_: 
me 
“~ 
— 
a 
-: 
= 
md 
=. 


The AD-specific names are 


_service._protocol._dns-domain", and the records 
contain priority and weight for load balancing. 

see Microsoft TechNet for more information concerning 
the service records. Then, | set up the FreeBSD system 
as a BIND slave server and tested its DNS functionality. 


Setting up Samba 


Start by checking where things will go. 
# smbd -b | grep / 


Configuration went in /usr/local/etc/, programs 

in /usr/local/*bin, logs in /var/log/samba4/* (I'll change 
that) and all the Samba (and LDAP and Kerberos) details 
in /var/db/samba4/*. The ease of doing this was a nice 
surprise! You can do it interactively, or all on one line. 
Either way, make sure you include RFC 2307 support so 
that AD can record UNIX attributes like UID, home 
directory, etc. Here is an example of a non-interactive 
syntax. 


# Samba-tool domain provision --use-rfc2307 \ 
--realm=CORP.EXAMPLE.COM \ 
--domain=CORP \ 

--server-role=dc \ 
--dns-backend=BIND9 DLZ 


Read through the narrative output and record the 
automatically generated administrator password and 
domain SID. 


Remaining Manual Steps 


Check /var/db/samba4/private/named.conf to verify that 
it found the appropriate BIND9_DLZ library. Thereafter, 


add a line to your main BIND configuration file to include 
this Samba named.conf file. Also, create a symbolic 

link /etc/krb5.conf pointing to the newly generated 

file /var/db/samba4/private/krbo5.conf. Another 
AD-specific configuration file is /usr/local/etc/smb4.conf. 
After some testing illustrated on my site, | added some 
lines to /etc/rc.conf: 


named_enable="YES" 

samba _ server enable="YES" 
ntpd_enable="YES" 

ntpd sync _on_start="YES" 
syslogd enable="YES" 


Reboot, and it works! Now, we can define AD groups and 
users with samba-tool, and Kerberos principals, 
authorizations and cryptography requirements 

with kadmin. 


Now AD is running! 


| have what | need for my projects, and | hope you found 
this useful! There’s a lot more information about Kerberos 
administration at MIT and Heimdal. 


About the Author 


Bob Cromwell has been using OpenBSD 
since, well, not sure how long... Some 
time in the late 1990s. He’s used Linux 
since you downloaded 40+ floppy 
images, some time around 1993-1994. 
Before that he had used UNIX, SunOS and forms of BSD, at 
Purdue since the mid 1980s. He got a BSEE at Purdue back 
then, worked at the university, grad school, Ph.D. in electrical 
and computer engineering, has done consulting since 1992. 
He’s taught courses for Learning Tree International since the 
mid 1900s, and has written courses for them since the late 
1990s. 
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FUNCTIONS: 
aid 


*® Cures Windows workstations and servers. 


# Verifies the quality of the anti-virus software currently in use. 


FEATURES: 


s Dr.Web Curelt! doesn’t require installation and doesn't conflict with any known anti-virus; conse 
quently there is no need to disable the anti-virus currently in use to check a system with DrVWeb Curelt!. 

s Improved self-protection and an enhanced mode for more efficient countermeasures against 
Windows blockers. 

s Dr.VWeb Cure 


s The utility can be launched from removab 
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FreeBSD Server Management 


witn Ansible 


Configuration Management software is currently a 
thriving market and full of excellent options. Tools like 
Chef, Puppet, SaltStack, CFEngine and Ansible can 
help to configure a large number of servers. Each tool 
has subtle differences that translate to pros and 

cons. Some of the tools run on Ruby while some run 
on either Python or even C. 


some use a ‘push’ model where the configuration 
changes are forcefully pushed to the infrastructure. Other 
tools use a ‘pull’ model where the individual nodes in the 
infrastructure reach out on a timed interval and pull down 
changes. 


Why Ansible? 


As a personal choice, | prefer to use Python over Ruby, 
and | like to see the instant feedback of the ‘push’ model 
when a server fails to complete all configuration changes 
correctly, versus waiting for servers to check in ona 
schedule and getting alerted to the issue some time later. 


Why FreeBSD and NGINX? 


FreeBSD has a proven track record for reliability and 
security. There are numerous options to help secure a 
FreeBSD system, Jails, separate mount points, 
capsicum, ZFS, to name but a few. FreeBSD has an 
excellent security team. Their review is an important 
piece of the development lifecycle. DTrace is one of the 
best tools available today. It can be used for everything 
from troubleshooting and debugging to performance 
analysis and tuning. 


FreeBSD is a fully featured OS with all the applications, 
tools and documentation necessary to run large-scale 
enterprise deployments. 


The popular streaming provider, Netflix, has built a 
massive CDN currently responsible for a third of all traffic 
on the Internet in the US. 


The Engineers at Netflix have written extensively on their 
decisions and highlight FreeBSD’s feature set as the 
main reasons for their choice of using FreeBSD to build 
their CDN. Nginx provides the lightweight, tunable web 


server needed. The goal of NetFlix was summed up by 
Gleb Smirnoff as “get more and more gigabits per 
second from a single box.” He gave a fantastic 
presentation on the many decisions that go into choosing 
and building a large-scale CDN and why FreeBSD and 
Nginx were the ideal choices. 


Although the challenges Netflix faces are vastly different 
than most companies or individuals face, we can use 
their work to show how reliable, cost-effective and 
secure FreeBSD and Nginx can be in large-scale DevOps 
deployments. 


Ending Goal: 


Learning a new configuration management tool can be a 
challenging task, even more so when the ending goal is 
undefined. This article will mainly focus on Ansible’s key 
features and setup, how Ansible fits into the modern 
DevOps movement and some of the decisions you will 
make in designing a FreeBSD server infrastructure. 


Using FreeBSD as a start, the large number of ports and 
packages available along with a tool like Ansible enable 
you to build a large-scale infrastructure quickly. 


This infrastructure can grow to nearly any size and span 
as many data centers or regions as need be. The only 
limitation I’ve heard of so far is the number of 
simultaneous SSH sessions the Ansible control server 
can handle when using Ansible in very large scale 
environments. Otherwise, the number of nodes you can 
control with Ansible is endless. 


Another benefit of using Ansible with a DevOps approach 
is that documentation is part of the process. A 
well-written task will use the name to define the intention 
of the step; “Install Nginx dependency”, “Configure 
Application Monitoring agent” or “git clone Web 
Application XYZ”. 


Even if the module being run in the task is too difficult to 
understand or the code is too complex to read, the name 
provides good insight into the intention. Thus, it’s simple 
to understand and even beginners can instantly recognize 
the goal of each task. 


Getting Started: 


One of Ansible’s best features is that it’s client-less. If you 
have SSH access to the servers, you can begin working 
with Ansible to deploy software immediately, 
password-less sudo is helpful but not required. Begin by 
installing Ansible on your local workstation; ‘pip’ is 
currently the preferred method. 


S pip install ansible 
Collecting ansible 
Downloading -ansible=2.2.1.0;,tar.gZ (2.5MB) 


LOOS | aaa aa HT HT Hoe Ho oe ae ae || 2. OMB 
SLIKB/s 


Installing collected packages: idna, pyasnl, Six, 
enum34, ipaddress, pycparser, cff1i, cryptography, 
paramiko, MarkupSafe, jinja2, PyYAML, pycrypto, 
ansible 


Running setup.py install for ansible ... done 


Successfully installed MarkupSafe-0.23 PyYAML-3.12 
aneible=Z2.7.J2.0 CrriH1.9.) Crypolograpivy=ai: 7 sZ 
enumsé-l.1l.o adna=Z.2 toaddress=1.0.10 JanjaZz=2.5. 1 
paramiko- 


Juke PYASnNI—OsZ2.Z2 DY Cparser=2Z. 1? DYCrYypLO-2Z.0461 
syle eel wna Opt 


S ansible --version 


ansible 2.2.1.0 


As long as you have Python 2.7 version on the servers, 
you have everything you need to manage your FreeBSD 
infrastructure. There’s no additional client software to 
install to manage infrastructure with Ansible. 


Additionally, there’s no need to create and sign client 
keys. Ansible does not use certificates like Chef or 


FreeBSD 


Puppet. Instead, it uses SSH hosts keys to verify client 
identity. If you’re working with more than five servers, It 
may be helpful to use a script that trusts the host keys for 
you. 


Now is a great time to begin thinking about how you’ll 
populate your inventory file(s). You’re lucky if you have a 
virtualized infrastructure with an API to query and get a 
quick list. An inventory file defines the servers, which 
groups they belong to and options for each server. Here’s 
an example of an inventory file. 


S eat local 
lL tos | 


fOs-O1 alist le Ssh. User=_reeosd 
ansible pychon anterprever=/usr/ local /bin/python2..7 
tOs-02- ansible seh usSer=1recosd 
ansible python interpreter=/usr/local/bin/python2.7 
EDS=03 -alistble. ssh. User=_recosod 
ansible python interprever=/usr/ local/bin/ypython2.7 


[databases] 

EDCD=1. ansible ssh user=_reecbsd 

ansible python, anterpretéer—/usr/local/bin/python2.7 
EbGD=2 ansible ssh Uuser=lreebsd 

ansible python interprecéer=/usr/local/bin/python2.7 


[gitlab] 


EOGiGl ansible ssh user—irecbsd 
ansible python anterpretéer=/usr/local/bin/python2. 7 


There’s a few options below you may want to add to the 
Ansible config file that are rather helpful. The “’ssh_args’ 
improves SSH connection speed (by multiplexing the 
connections) and key forwarding to simplify the process 
of pulling project code from your git repo on the target 
server. 


Depending on which local user (or root) is used, you may 
or may not need to ‘sudo’ to make system changes. 
Here’s an example ‘ansible.cfg’ file: 


S cat ansible.cfg 
[defaults] 
become=yes 

become methnod=sudo 
sudo flags —=nE 


[seh -connecr10n | 


Ss ergs = =O CONTI OlMaster—aule =O 


ControlPersist=60s -o ForwardAgent=yes 


Ansible modules are small pieces of code that do 
specific things on a given system. For example, the ‘user’ 
module allows you to create a system user or modify a 
user by changing e.g the shell, editing the password, 
adding an SSH key, etc. The ‘template’ module allows 
you to take a Jinja2 template with variables and write out 
a file. Using variables in the template, entries can change 
based on environment/location. You can replace the 
connection strings in the DB config file on each web 
server, pointing to the closest DB server in the local 
DC/region. Ansible modules allow you to perform basic 
tasks on the infrastructure with minimal amount of effort. 
Let’s test connectivity with Ansible using the ping 
module: 


a The command ‘ansible’ using the ‘local’ 
inventory file, this will 
a run on the ‘fbs’ hosts using the ‘ping’ 


module to test connectivity. 


S ansible -i local fbs -m ping 


fos=05. | SUCCESS => 4 


"Changed: t Lalse, “pang: “pong” 
} 

fbs-02 | SUCCESS => { 

"Chieniged”: Lalse,y “parig’. “pong” 
} 

tps=01 | SUCCESS => 4 

"Chetiged’ : Lalse, “pang”: “pong” 


} 


The significance here is not that the servers responded to 
an ICMP packet with echo reply, the ping module does 
much more. Used in this manner, Ansible is making an 
SSH connection to each host, running a small piece of 
Python code that responds back with a friendly ‘pong’ 
message after it completes successfully. This seemingly 
simple response helps to ensure that you’ve met the 
base criteria to perform system changes with Ansible. 


Many of the Ansible modules run on FreeBSD with no 
changes. A simple task that creates users can be run on 
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FreeBSD or Linux with no modification. Depending on 
your needs the tasks and roles can be very simple or 
highly complex. | enjoy the polished nature of Ansible. Its 
default set of modules provides a great deal of 
functionality. 


The Ansible community ts alive and active. The best 
place to look for prebuilt roles is ‘Ansible Galaxy’. You 
can find roles for all of the popular applications and 
services; NGINX, Apache, MySQL, PostgreSQL, or even 
a Jailed Joomla/Wordpress server. Many of the roles 
available on Ansible Galaxy will help you to build a fully 
functioning service/application, very little coding is 
required. Let’s take a look a few pieces of an NGINX role 
in Ansible Galaxy to dive a little deeper. Head over to 
GitHub and check out 
https://github.com/icamys/ansible-role-nginx. It’s a role 
created by “icamys” (Prisacari Dmitrii) with twenty three 
contributors receiving check-ins on a regular basis. In 
‘main.yml’ under tasks, we find the following code. 


# Nginx setup. 


- name: Copy nginx configuration in place. 


template: 


SreC? NOINxX.cont.)Z 


dese: “{{ nginx Cont Tile pach |)" Owner? rool 
group: "{{ root group }}" mode: 0644 
Holi y= 


- reload nginx 


The template module provides us with a simple way to 
update the Nginx config file in the above code sample. 
The last two lines will force the Nginx service to reload if 
this task made any changes to the config file. Take note 
of the ‘dest’ and ‘group’ entries. They are variables that 
can be substituted for many reasons. The Nginx config 
path could be using a variable so that the file can be 
placed in the correct location based on the operating 
system. This particular role is Linux, FreeBSD and 
OpenBSD compatible. The root group may need to 
change for the same reason, based on operating system 
of the target server. 


Here are the first few lines of nginx.conf.j2: 


user {{ nginx user }}; 


error Log 1. MGiix Crror dog} ) 7. ond { { 
nginx pidtile:. |}; 


WOrkSr processes {{. nginx worker processes [}7 


The template includes several variables that can be 
replaced in several ways. You can set defaults that are 
sane fallback entries. Based on the environment the 
target server is in, | would frequently set a larger number 
of worker processes on production systems or change 
the log file location, perhaps using a mount point only 
available on production systems. 


Here’s another example Jinja2 template, the first few 
lines of vhosts.j2: 


oe LO VNOSU. 1m NOInx VhOSusS 2} server 4 


listen {{ vhost.listen | default('80 
the 


default. Server™) 


This template allows you to iterate through a list of 
‘nginx_vhosts’ and creates an entry for every name in the 
list. This is helpful in ensuring that the template is easy 
to read, without excessive repetition of config entries, 
and allows you to create 1 or 100 vhosts entries with 
ease. 


DevOps KungFu: 


It’s helpful to group servers based on function. Whether 
it’s 2 or 2,000 instances, it’s important to define function 
as best as possible. Based on the function, certain types 
of servers should never be accessible to the internet on 
any level, and many are directly accessible or indirectly 
accessible through a load balancer. Each of the groups 
will be assigned one or more Ansible roles. The roles will 
affect which applications are installed, firewall rules 
applied, users added to the system, mount points 


created, etc. Also, the roles can be used to identify the 
appropriate network interfaces or AWS security groups 
when making API calls or running scripts to provide the 
VMs. 


Once you have well defined roles, you can use this to 
produce identical environments. It’s rather common to 
see multiple environments in an applications’ lifecycle, 
most frequently, names like beta, production, staging, 
etc. Although Docker is heavily publicized today as 
helping with portability, FreeBSD implemented Jails a 
very long time ago, and Jails are far more secure. Using 
Ansible for system configuration offers a much greater 
flexibility than using a generic container deployment 
process. 
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When each environment is configured in exactly the 
same way, it becomes easier to find bugs earlier in the 
process. Systems Engineering becomes more about 
finding anomalies and performance tuning than the 
constant firefighting that comes from manually 
configured environments. Development becomes less 
stressful as bugs and issues can be identified earlier in 
the process, no need to stay up all night working ona 
hotfix for a bug live in production. Quality Assurance 
becomes easier as well. Engineers can be sure that the 
tests they run in beta or staging will produce the same 
results as production. 


Flexibility and good app lifecycle payoffs: 


In addition to providing identical environments for 
production, staging, etc. you can also easily move the 
application to your new virtualized environment from bare 
metal, or to a brand new data center or the cloud 
provider of choice. Although most cloud providers offer 
technology that makes application setup and deployment 
seem easy using their proprietary software, it greatly 
limits your choices to switch between the various cloud 
providers. Flexibility is very important when designing an 
application infrastructure, being able to move between a 
local data center and various cloud providers offers 
freedom and additional High Availability and Disaster 
Recovery options. 


DevOps role in compliancy 


Is it possible to ensure security patches and system 
updates have been applied to an entire environment 
without updating each system one by one? This is when 
a flexible application lifecycle management system really 
shows how valuable it can be to an entire organization, 
not just Development and Operations Engineers. Why 
bother updating each system individually? It takes a 
great deal of network bandwidth and CPU power to 
update thousands of nodes, perhaps there’s an 
alternative. 


Certain highly secure environments explicitly deny 
servers the ability to reach out directly to the internet. 
This may be done to satisfy compliancy requirements or 
mitigate the risk of data exfiltration. Although it would be 
trivial (network and CPU resources) to host a local 
FreeBSD mirror in your DC, it’s still an extra cost. 
Working mainly in AWS environments has forced me to 
take cost into account in all of my Systems Architecture 
and Operations decisions. One option is to update one 


single host, use the updated host to create a new image, 
which will be used to rebuild the entire web application 
infrastructure. This is a particularly helpful option when 
working in an environment with no internet access. 


Provisioning a new set of servers to push out security 
updates is not likely an effective approach in all 
situations. In some situations, that approach could be 
counterproductive; causing congestion on the Storage 
network, of excessive IO on the SANS. Although there 
are drawbacks, provisioning a fresh new infrastructure 
can be used to deal with many types of changes related 
to compliance. Perhaps, there’s a need to swap to a new 
type of logging solution or monitoring agent. Many issues 
can arise from updating configuration strings on live 
running system; locked files, hung processes, services 
failing to start after applying change or update. 
Provisioning a fresh new instance with only the correct 
software installed and configuration settings applied can 
avoid many different types of issues. Dealing with 
complicated issues and debugging can be very fun at 
times. However, avoiding those many different types of 
issues altogether has its perks as well. 


systems running in an extremely high-secured 
environment may be configured in ways that greatly limit 
the ability to make changes to the systems. A final step 
of an application deployment could be to set certain 
partitions to mount read-only and increasing the system’s 
security level then rebooting. The running systems would 
be more difficult for attackers to compromise, but high 
security environments can create additional hurdles for 
large scale administration. 


So, it’s very important to have many approaches and 
techniques to deal with large scale infrastructure 
challenges. One of the techniques that is always helpful 
is making sure that repetitive tasks can be performed 
using automation, rather than large amounts of manual 
configuration effort. 


Conclusion 


Ansible is a relatively new kid on the block compared to 
Puppet and Chef. | prefer to work with Python over 
Ruby, and have found Ansible has reached parity with 
the functionality of Puppet or Chef. I’ve had the 
opportunity to work with nearly every major infrastructure 
management tool available today. Working with them in 
large-scale production environments has kept my mind 
open to the many options available today. | certainly 
would not say Ansible is better, or Chef is better, or 
Puppet, but | would say that like all softwares, each has 


highlights and drawbacks that must be weighed carefully 
against each other. 


Of all the tools I’ve used, Chef and Ansible are the top 
two in my opinion. The only deciding factor in my mind is 
whether the team supporting it prefers Ruby or Python. 
Check out Arun Tomar’s workshop and Ebook to learn 
more about DevOps with Chef On FreeBSD. 


It’s so exciting to see the many options available to 
manage large-scale FreeBSD server environments. 
Although Ansible is a relatively new kid on the block, it 
has all the features necessary to create and maintain 
secure, efficient and scalable Continuous Integration 
environments for software deployments. 
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Taking a Look at SmartOS 


Containers 


SmartOS is an illumos distribution created by Joyent 
that is aimed at cloud computing the main business 
of Joyent. SmartOS acts as a hypervisor where you 
can create VMs using KVM which was ported by 
SmartOS team from Linux to SmartOS or bare metal 
containers/zones that will host illumos guests or even 
Linux ones. 


But what is illumos? Illumos is the open-source fork of 
the former OpenSolaris project which started at Sun 
Microsystems. The former engineers that worked on 
Solaris/OpenSolaris made it available for the 
Open-source community. Here are some of the features 
that SmartOS/illumos brings to the table, taken from the 
SmartOS wiki page 


Operating System Virtualization 


"Thanks to the Solaris/Illumos heritage, SmartOS already 
had Containers and Zones -- container-based 
virtualization (containers is supposed to mean zones + 
resource controls) that allowed users to run multiple 
applications set on one server isolated from one another. 
With KVM on SmartOS, Joyent can now address 
workloads that require running a full operating system for 
those customers who need Linux, Windows or other OS 
to run in full, hardware-assisted virtualization. Unlike any 
other "hypervisor", Joyent's KVM images run as a 
process inside of a zone. It turns out to be a very secure 
way to run Windows. And, unlike Linux, SmartOS gives 
customers access to Solaris technologies that many 
users find compelling — like DIrace and ZFS. " 


This is proven technology which dates back from the 
Solaris ten days. It has been battle tested even the Ix 
zones ran great back in the day. Now the Ix brand (a 
brand is a concept to name which OS runs in a zone. In 
this case, Ix means Linux) has been resurrected, updated 
and works great! 
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Resource Controls 


SmartOS offers two methods for controlling CPU 
consumption: 


Fair share scheduler lets the operator set a minimum 
guaranteed share of CPU. It takes effect when the 
system is busy due to the demand from more than one 
zone, to ensure that each gets its fair share. Otherwise, 
when the system is not busy, a zone can "burst" beyond 
its usual limit, consuming more than the minimum as 
guaranteed, up to the CPU cap set for it. 


CPU cap is a maximum, e.g. an amount of CPU time that 
a user has paid for. This can also be used to set user 
expectations about system performance, even when the 
overall system is not yet populated and the workload is 
still light. 


Network Virtualization 


Virtualization is also used to create the illusion of things 
that aren't actually on the real system, such as virtual 
network interfaces (VNICs). Joyent was one of the first 
users of Project Crossbow, which added network 
virtualization to OpenSolaris. Using this technology, each 
Joyent SmartMachine gets up to 32 VNICs, each with its 
TCP/IP stack. This helps to maximize another scarce 
resource, IPv4 addresses, through the use of network 
pools. 


Observability 


Users of Illumos, Mac OS X and FreeBSD know that 
DTrace gives them an unprecedented view of what's 
going on throughout the software stack. In SmartOS, it 
allows operators to observe and troubleshoot across all 
the zones and nodes in an entire data center. In 
smartDataCenter, the Joyent team has harnessed the 
power of DTrace in a more user-friendly form with Cloud 


Analytics, which is available to both cloud operators and 
their customers. 


Security 


solaris has long been the operating system of choice in 
highly secure data centers, thanks to several features 
which SmartOS inherits. SmartOS zones, though they 
share system resources such as CPU and disk space, 
simply cannot see each other. Users in a multi-tenant 
environment are thus protected from each other |.e. your 
neighbor's security lapse will not affect your zone. 
Additionally, data security is also assured. No byte of 
data from one customer is shared with any other 
customer, now or later, because: 


A zone can only see its own network traffic. 


Disk storage is accessed only via ZFS file systems, never 
raw devices. Each SmartMachine has its own file system 
and does not even know of the existence of any other. 


A user has no access to raw memory devices. So, he/she 
can't scan the system’s memory. 


Upon deletion of a SmartMachine, the file system is destroyed 
and there is no device path by which a future customer could 
access any data left over in that file system. A SmartMachine 
is protected from DDOS attacks by some of the same features 
that guarantee that it gets a fair share of system resources: fair 
share scheduler, caps, process limits, rcapd, swap cap, disk 
file system limits, quota limits. 


By capping each zone's resource usage, SmartOS ensures 
that, even under heavy attack, a zone will not bring down its 
neighbors. 


ZFS 


If you don’t know ZFS, you should start learning about it right 
now. Here is a couple of features that come with ZFS, the last 
word on file systems 


Data integrity is guaranteed, with particular emphasis on 
preventing silent data corruption. 


Storage pools: "virtualized storage" makes administrative 
tasks and scaling far easier. To expand storage capacity, all 
you need to do is add new disks (hard disks, flash memory 
and whatever may come along in the future) to a zpool. 


Snapshots: ZFS' copy-on-write transactional model makes it 
possible to capture a snapshot of an entire file system at any 
time, storing only the differences between that and the 
working file system as it continues to change. This creates a 
backup point that the administrator can easily roll back to. 
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Clones: Snapshots of volumes and file systems can be 
cloned, creating an identical copy. Cloning is nearly 
instantaneous and initially consumes no additional disk space. 
This facilitates the rapid creation of new, nearly identical, VMs. 


* The ARC (Adaptive Replacement Cache) improves the file 
system and disk performance, driving down overall system 
latency. 


Scalability 


This is an enterprise battle tested OS that had been the choice 
for enterprise computing for several years! 


Reliability 


Fault management (FMA): "fine-grained fault isolation and 
restart where possible of any component — hardware or 
software — that experiences a problem. To do so, the system 
must include intelligent, automated, proactive diagnoses of 
errors that are observed on the system. The diagnosis system 
is used to trigger targeted automated responses or guided 
human intervention that mitigates a specific problem or at 
least prevents it from getting worse." 


The Service Management Facility (SMF) is "a feature of the 
Solaris operating system that creates a supported, unified 


model for services and service management on each Solaris 
system". 


Installing SmartOS 
If you are going to install into a bare metal, it is a good idea to 


check first the Illumos hardware compatibility list, and also the 
hardware requirements for SmartOS. 


https://wiki.smartos.org/display/DOC/Hardware+Requirement 
Ss 


Download the usb image, vmware image or iso from 


httos://wiki.smartos.org/display/DOC/Download+SmartOS 


Now that we have the SmartOS image, let’s start installing it. 
SmartOS runs as a hypervisor. Therefore, it runs only in 
memory so that the space allocated for a root dataset is not 
wasted. We will only focus in our containers. 


I'll choose default. If you have more than one disk, you could 
use raidz2, mirror or choose manual to create zlogs, cache 
and whatever you need. 


Here, all our network interfaces will appear. We need to 
choose one of them to configure it as an administrator 
interface. Thereafter, we could set up the rest of the interfaces. 


At this time, we will only use the admin interface. 


Press enter then assign an IP address or just type dhcp. 


In my case, my IPis 192.168.1.1 


Also here, my IP is 192.168.1.1 
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SmartOS zones/containers 


Containers were inspired by FreeBSD jails. In Solaris 10, 
they are called zones. A zone is a virtualized instance 
that behaves like an isolated system even when 
functioning alongside other zones on the same machine. 
Each zone on a system shares a pool of resources and 
the single operating system kernel. However, Zones are 
never aware of other zones on the system and are 
process secure. A zone is similar to a virtual machine, but 
is distinct in that it shares the base system kernel 
whereas each virtual machine runs its own OS kernel. 
Zones are an inherent part of the operating system and 
impose no additional overhead. Each process that runs 
includes the zone ID as an attribute. Thus, zones scale 
and perform better than virtual machines since there is 
no additional kernel or layering involved. 


Creating SmartOS containers 


To create containers, we use the handy vmaadm tool that 
comes with SmartOS. 


vmadm allows you to interact with virtual machines on a 
smartOS system. 
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At the moment, there are three types of machines: 
¢ OS Virtual Machines (SmartOS zones). 

¢« LX Brand (Linux zones). 

¢ KVM Virtual Machines. 


All of them can be managed with vmadm. It allows you to 
create, inspect, modify and delete virtual machines on 
the local system. 


The steps to create a container are as follows: 


¢« Download an image that the container will be based 
on. This done using the imgadm command. 


- Create a json file to describe your container/vm 
configuration. 


- Create the container using the vmadm create 
command and the json file previously created. 


This tool allows you to import and manage virtual 
machine images on a SmartOS system. Virtual machine 
images (also sometimes referred to as datasets) are 
snapshots of pre-installed virtual machines which are 
prepared for generic and repeated deployments. 


First, let’s add Joyent to our source of images: 
$ imgadm sources -a https://images.joyent.com 


Images are identified by UUID. So, let’s fetch this one, 
why this one? Because it’s the recommended image to 
build SmartOS live. You could choose another one. 


$ imgadm import 
e69a0918-055d-11e5-8912-e3ceb6df4cf8 


You could check the ones available using: 
$ imgadm avail 


Now that we have an image, we are able to start creating 
our container/zone/vm , whatever name you choose; it’s 
described at creation by a json file. Here is an example 
for a SmartOS based container. 


Save this file as buildO1.json or whatever name you 
choose. 


{ container to build SmartOS live, the values used are the 
pianos dovent recommended ones. 

"fs allowed": "ufs,pcfs,tmpfs", 

"image_uuid": "e69a0918-055d-11e5-8912-e3ceb6df4cfs", 
"alias": "buildO1", resolvers: For OS VMs (not KVM ones ) , this value sets 


“hostname’: "b01", the resolvers which is placed in /etc/resolv.conf at VM 
"max_physical_memory": 2024, 


"quota": 10, creation. If maintain_resolvers is set to true, updating this 
"resolvers": ["8.8.8.8", "192.168.1.1"], property will also update the resolvers in /etc/resolv.conf. 
: [ For KVM VMs, these will get passed as the resolvers with 
"nic_tag": "admin", DHCP responses. 
"ips": ["dhep"], 
"primary": true nics: When creating a KVM VM or getting a KVM VM's 
_ JSON, you will use this property. This is an array of nic” 
objects. The properties available are listed below under 
the nics.*.<property> options. If you want to update nics, 
see the special notes in the section above about the 
‘upgrade command.When adding or removing NICs, the 
I’ll describe each of the keys used. There are more but for this NIC names will be created in the order of the interfaces in 
example, we will only use these ones. The rest of the keys are the nics or add_nics array. 


described in the vmadm 
quota: This sets a quota on the zone file system. For OS 
brand: This will be one of joyent, joyent-minimal or Ix tor VMs, this value is the the quota for the Zone containing 


OS virtualization and kvm for full hardware virtualization. This the VM, which is not directly Set quota to 0 to disable 
is a required value for VM creation. 
(i.e. for no quota). 


image_uuid: The UUID of the image you are using as a 


1 * 4 / . 
template in our case is the one we just fetched nics.*.ips: An array of IPv4 or IPv6 addresses to assign 


to this NIC. The addresses should specify their routing 
prefix in CIDR notation. The strings dhcp (DHCPv4) and 
‘addrconf (SLAAC or DHCPv6) can also be used to 
obtain the address dynamically. Up to twenty addresses 


alias: An alias for a VM which is for display/lookup 
purposes only. Not required to be unique. 


fs_allowed: This option allows you to specify file system can be listed. 


types this zone is allowed to mount. As | use this 
nics.*.nic_tag: This option for a NIC determines which 


host NIC, the VMs nic, will get attached to. The value can 


root@bel ~]# pkgin install apache 
aliculating dependencies... done. 


othing to upg 


rade. 
packages to be 1 


nstalled (8101K to download, 29M to install): 


pr-utal-1.5.4nbi apr-1.5.1 apache-2.4.23nb2 


roceed ? [Y/n] y 
ownloading packages... 
pr-util-1.5.4nbl.tgz 100% 40458 134.6KB/s 195.9KB/s 00:03 
pr-1.5.1.% 100% 6/77KB 225.6KB/s 203.8KB/s 66:03 
pacne-2.4.23nD2. 166% 7G2GKB 334.3KB/s 215.6KB/s 66:21 
mstalling packages... 
nstalling apr-utal-1.5.4nbl... 
nstalling apr-1.5.1... 
nstalling apache-2.4.23nb2... 
pacne-2.4. group wii 
pacne-2.4.23nD2: user Www’ 
asswd: passwor changed for www 
pees .23nb2: copying /opt/local/share/examples/httpd/extra/httpd-autoindex.conf to /opt/local/etc/httpd/httpd-autoindex.co 
pache-2.4.23nb2: copying /opt/local/share/examples/httpd/extra/httpd-dav.conf to /opt/local/etc/httpd/httpd-dav.conf 
pache-2.4.23nb2: copying /opt/local/share/examples/httpd/extra/httpd-deftault.conf to /opt/local/etc/httpd/httpd-default.conft 
pache-2.4.23nb2: copying /opt/local/share/exanples/httpd/extra/httpd-into.conf to /opt/local/etc/httpd/httpd-into.conf 
pache-2.4.23nb2: copying /opt/local/share/exanples/httod/extra/httpd-lanquages.conf to /opt/local/etc/httpod/httod- Lanquages .co 
t 
pache-2.4.23nb2: copying /opt/local/share/examples/httpd/extra/httpd-manual.conf to /opt/local/etc/httpd/httpd-manual . cont 
pache-2.4.23nb2: copying /opt/local/share/examples/httpd/extra/httpd-mpm.conf to /opt/local/etc/httpd/httpd-mapm. conf 
pache-2.4.23nb2: copying /opt/local/share/examples/httpd/extra/httpd-multilang-errordoc.conf to /opt/local/etc/httpd/httpd-aul 
foc .cont 
2: copying /opt/local/share/exanples/httpd/extra/httod-ssl.conf to /opt/local/etc/httpd/httpd-ssl.conf 
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either a nic tag as listed in the NIC Names field in 
‘sysinfo or an etherstub or device name. 


nics.*.primary: This option selects which NIC’s default 


gateway and name server values will be used for this VM. 
Ifa VM has any nics, there must always be a one primary. 


Setting a new primary will unset the old. Trying to set two 
nics to primary is an error. 


max_physical_memory: The maximum amount of 
memory on the host that the VM is allowed to use. 


Before creating the container, first validate the VM 
description using vmadm, just type: 


$ vmadm validate -f build01.json 


It will error out if there is a mistake in the json file, and in 
what key/value it is. 


Using this json file, the output should be: 

$ VALID 'create' payload for joyent brand VMs. 
Now, let’s create It 

$ vmadm create -f build01.json 


If the container is created successfully, it should be listed 
on the containers lists 


$ vmadm list 


UUID TYPE RAM STATE 


ALIAS 


8bd4af70-5751-cc85-ad93-c41dd9c797e5 LX 


512 running Ixtest 


b1094c32-3ecb-ea03-cfde-e4f5b38c0816 OS 


2024 running build0O1 
Now, login to your zone/container using UUID 


$ zlogin b1094c32-3ecb-ea03-cfde-e4f5b38c0816 


And you will see this: 
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SmartOS uses pkgsrc as a package manager. So in our 
newly created container, we could install whatever 


package is in the joyent repo htips://pkgsrc.joyent.com/ . 
For example, let’s install the old trusty apache webserver. 


$ pkgin install apache 


Creating Linux containers (Ix brand zones) 


lf you are suffering a vendor lock-in, and your application 
only runs in Linux as you don’t have the source code, or 
you have the source code and it’s full of /inuxisms and 
don’t have the time to port it or just simply are most used 
to Linux, then Ix zones could save the day. 


You could run your Linux application unmodified just as 
you usually do, but will enjoy all the goodies from 
lllumos/SmartOS like ZFS and Dtrace, which is amazing. 


As we did with the SmartOS container, we need a vm 
image, let’s fetch one. 


Add Joyent image sources (because you could also host 
your own images) and then check which Linux containers 
are available. 


$ imgadm sources -a https://images.joyent.com 
$ imgadm avail | grep Ix-dataset 


Let’s create an Ubuntu zone as illustrated in the SmartOS 
documentation, 


$ imgadm import 
05140a7e-279f-11e6-aedf-47d4f69d2887 


As we did for the Illumos zone, we need to create a json 
file that will describe the VM and use the image we just 
downloaded 


Save this as Ix.json or whatever name you choose. 


"alias": "Ixtest", 
"brand": "Ix", 
"kernel_version": "4.3.0", 
"max_physical_memory": 512, 
"quota": 10, 
"image_uuid": "05140a7e-279f-11e6-aedf-47d4f69d2887", 
"resolvers": ["8.8.8.8","192.168.1.1"], 
"nics": [ 

{ 

"nic_tag": "admin", 

"ips": ["dhcp"], 

"primary": true 


} 


The only keys that are new in this json are the following: 


kernel version: This sets the version of Linux to 
emulate for LX VMs. 
brand: Ix because this is a Linux zone 


As usual before creating the VM, validate the json file 
using vmadm 


$ vmadm validate create -f Ix.json 


Login into the new Ix zone with zlogin, use the container 
UUID. 


The first thing we need to do before we start working on 
this zone is to create users. As usual, type the following 
commands: 


$ adduser -d /home/<youruserhomedir> <username> 


$ mkdir /home/<your_user_home_dir> && chown -R 
<username> /home/<your_user_home_dir> 


Set the password for this user: 


$ passwd <username> 
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Set the root password since it’s not setup by default in 
this container 


$ passwd 


By default, we cannot login into this zone using ssh. 
Hitherto, we just need to modify /etc/ssh/sshd_config 
and change the following from no to yes: 


# Change to no to disable tunnelled clear text 
passwords 


PasswordAuthentication yes 


Also, add the following as we want to forward X11 
applications: 


X11Forwarding yes 
X11UseLocalhost no 


Now restart the sshd server: 
$ service sshd restart 


Then, let’s run apt-get 


$ apt-get update 


All is working perfectly! Remember that we are using an 
Illumos Kernel with the Linux personality. This means that 
Linux syscalls are translated into Illumos syscalls. 
Therefore, there is almost no overhead in running an |x 
zone instead of a full machine virtualization with KVM. 


At this time, let’s try a X11 application, let’s install Firefox. 
$ apt-get install firefox install libglu1-mesa 


Firefox needs libGL.so Thus, we will install it. But when 
we try to execute Firefox, we'll get this error: 


$ Couldn't open libGL.so.1: libGL.so.1: cannot open 
shared object file: No such file or directory 


Let’s check our IP that connects to this Ix Zone using ssh 
and test port forwarding 


$ ifconfig -a 


$ ssh -XI <username> <host> 
Now that we are in, let’s execute Firefox by typing: 
$ firefox 


It should appear on your screen if X11 forwarding is 
working on your side. Extensions not working as a Linux 
syscall called splice 
http://man7.org/linux/man-pages/man2/splice.2.html 
must be implemented in the Ixbrand syscall table, but 
this is no show stopper. 


Conclusion 


There are a lot of neat things to do with SmartOS as a 
home server. For instance, run containers for 
development or production in your company, for speed 
up development using containers, game servers etc. | 
started Knowing about zones in Solaris 10 from running 
several Linux game servers which run great under the Ix 
brand. | could debug and tune performance using 
Dtrace, now is even better. 


SmartOS is built on the legacy of OpenSolaris, now 
llumos. Moreover, there are top talents working on this. 
Joyent hired all the big guns to work on SmartOS and the 
result is just amazing. If you like the way containers are 
handled or if you like docker, just check Triton from 
Joyent. I'll talk about Triton in other issue. 
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Here is a couple of links for you to check more on 
SmartOSs: 


Joyent’s github repository 


httos://github.com/joyent 


Triton 


httos://github.com/joyent/triton 


SmartOS wiki 


httos://wiki.smartos.org/display/DOC/LX+Branded+Z 
ones 


Why SmartOS? 


https://wiki.smartos.org/display/DOC/Why+SmartOS+ 
-+ZFS%2C0+KVM%2C+D Trace%2C+Zones+and+Mor 


e 


Avoiding Linuxisms 


httos://wiki.freebsd.org/AvoidingLinuxisms 
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OpenBsD as a Gateway 
Firewall for SOHO and 
Enterorise Networks 


OpenBSD is the second most used BSD operating 
system with a percentage standing at around 33%, 


preceded by FreeBSD (70%) and followed by NetBSD 


and DragonflyBSD. The project slogan "Only two 
remote holes in the default install in more than ten 
years." 


It is widely used in various enterprise fields and not for 
the creation of Web servers, mail servers, DNS and 
network firewall configuration through the powerful PF 
made available free of charge with the basic installation. 


Creating a Router / Firewall with OpenBSD 


A router is a network device, a computer network packet 


switching which takes care of routing data. It is 
subdivided into packets between different subnets. 


Therefore, a logical level, an internal node of the network 


to the deputy level switch three of the OSI model. The 


routing may be either to subnetworks connected directly 


and on separate physical interfaces or to other subnets 
neighboring, thanks to the information contained in the 
routing tables. A key feature of the router is to use IP 
addresses to level the stackTCP / IP compared to 
switches that route at the local level based on the layer 
two addresses. 


The elements of the routing table may correspond both 
to individual computers, both to entire networks 
(SubNet_ID) or subsets, also very large address space. 
This is critical to the scalability of the networks as it 


allows to handle even very large networks by growing the 


routing tables in a less than linear with respect to the 
number of hosts. 
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A firewall is a software or hardware resource that checks 
information coming from the Internet or another network 
type, blocking or allowing access to your computer, 
depending on the security policy set. Its main function is 
to act as filters for controlling all the network traffic that 
comes from outside, as well as what is generated from 
the inside. It allows only that traffic which is 
authorized. The primary need of every modern company 
is to define policies to secure access to a priori network. 
Perimeter security requires optimal and high-quality 
solutions that guarantee and adequately control the 
traffic generated. 


| file sysctl.conf, rc.conf ed rc.conf.local 
#/etc/sysctl.conf 


net.inet.ip.forwarding=1 # (default:0) 
Fnables IP FORWARDING 


net.inet.ah.enable=1 + (defaults) 
Enables AH 


net.inet.esp.enable=1 # (default:1) 
Enables ESP 


net.inet.esp.udpencap=1 # (default:1) 
Fnables UDP encapsulation 


Net. iNet. esp.udpencap  port=4500 # (default:4500) 


Sets port for UDP encapsulation 


net.inet.ipcomp.enable=1 # (default:0) 
Fnables IPsec compression 

net.pipex.enable=1 # (default:0) 
Enables PIPEX 

net.inet.gre.allow=1 # (default:0) 


Fnables GRE 
#/etc/rce.conf.local 
pkg scripts="dnsmasq" 
#/etc/re.conf 
isakmipd Plags="—K" 
npppd_flags="" 
pf=YES 


# Packet filter / NAT 


Lpsec="VYERS” # IPsec 


Profile for user root 


*¢ SODENBSD: dot .orofile;y 149: 2010/12/13 12254231. millert 
Bx: 8 


€ Sh/kKSH: 2nitiali Zation 


PATH=/ sbhin:/usr/ sbin?: /bin?7usr/ bin: /usr/xX11IR6/bin?/usr/ lo 
cal/sbin:/usr/local/bin 


export PATH 
S{HOME='/root' } 
export HOME 


export 
PKG_PATH=http://openbsd.mirror.garr.it/pub/OpenBSD/6.0/pa 
ckages/i386/ 

PS1="\u@\h[\w]" 

export PS1 

umask 022 

in 


moon 


Caos 


*1*) + ILMWCeractive shell 


if.| = /usr/7bin/tset |]3 then 
i | X"SXTERM VERSION" = KUN |e when 
eval ~/usr/bin/tset -—sQ 
'=Mmunknown: ?vtZ220" STERM” 
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else 


eval */usr/bin/tset -IsQ 
"<—munknown: ?vt220' STERM 
ta: 
ti 
rr 
esac 
ee 
mn 
ote 
ed . ss 
om 
ray. | on oO py 
ff | ’ . 
ae ~ =? —_  —- —_—ve — ee ee — —-e —-¢- : ww. bos 
| im b - -_ - 
bh de SS ——_>—- ee 


VLAN: how to configure them and why 


VLANs are an easy, fast and secure means to segment 
our network and securing the devices that most interest 
us without having to use different IP addresses. VLANs 
are managed at level 2 of the ISO / OSI stack or TCP / IP. 
As a result, the main configuration will be made right in 
the network switches that will be connected to the 
devices. 


For example, the devices that will connect to ports 1 - 2 - 
3, can only exchange data between them and will not 
see, in any case, other devices connected to the same 
switch or other. Conversely, applies the same theory. 


A PC connected to port 7 of the switch will not know of 
the existence of a server that is connected to the second 
because they belong to two different VLAN. Using the 
VLAN is an excellent practice to defend against network 
issues, virus attacks, misconfigurations endpoint and 
especially to decide beforehand who can talk to whom 
without configuring a different IP network. Take the case 


of a company that has twenty-five computer stations, 
three network printers, three access points and two 
cameras. 


Using VLAN allows us to divide the network on the basis 
of such offices. The administration office will have its 
access point and its printer and can talk and see only 
their PC. 


If within the dedicated VLAN a computer is infected with 
a virus, the virus can only cause damage to members of 
the VLAN.This is because, all the other PCs on the 
network will not be visible immediately and therefore 
immune to any attack. The same company also offers 
free Wi-Fi to its guests.Upon configuring a dedicated 
VLAN on the access point, those who will connect to a 
specific SSID will be automatically tagged and will only 
see what we decided on the priori network. Quite often,a 
Guest can access only sail to internet, even if they try to 
browse the internal network, they would not see 
anything. 


Gateway and dns settings for our OpenBSD 6 Router 
Firewall: 


WAN interface ( /etc/hostname.em0O ): 
Let 192 638.44 40" 2oas 20062 oo 0 - NONE 
IMet alias NO7 266.44 24 Bese 5S. 25060 
Met al Leas 197 «6644 Ya? Zed eZoww2ooe 0 
#!route add -net 192.168.202.0/24 192.168.44.50 


#!route add -net 192.168.203.0/24 192.168.44.50 


Router firewall hostname (/etc/myname ): 


obsd6-fwgw.domain.tld 


Router firewall gateway ( /etc/mygate ): 


L922 16S 3442 


Router firewall Dns settings ( /etc/resolv.conf ): 
search domain.tld 
nameserver 192.168.10.1 


nameserver 192.168.10.1 
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nameserver 192.168.10.1 
nameserver 8.8.8.8 


ISO.O Kae “ab te ses doar), 


Physical LAN interface ( /etc/hostname.em1 ): 


up # Vlan hardware interface 


Physical MANAGEMENT interface ( /etc/hostname.em2 ): 


Inmet. 92. Moe.20 LL 2554 290.200 ;0) NONE 


Vian Setup 


VLAN interface for LAN CLIENTS ( /etc/hostname.vian10 ): 


tnetk. L926 i68.10el 2552.255.255.0. NONE vlan 1.0 vlandeyv emi 


VLAN interface for DMZ SERVERS ( /etc/hostname.vian20 ): 


inet 192.168.20.1 255.255.255.0 NONE vlan 20 vlandev eml 


VLAN interface for VOIP CLIENTS (/etc/hostname.vlanso ): 


TAS|t -192.16682.30.1 255.255.2550: NONE vlan 10 slandey -eml. 


DHCP DNS 


Dnsmasg is a lightweight DNS, TFTP, PXE, router 
advertisement and DHCP server. It is intended to provide 
a coupled DNS and a DHCP service to a LAN. It accepts 
DNS queries and either answers them from a small, local, 
cache or forwards them to a real, recursive, DNS server. 
Additionally, it loads the contents of /etc/hosts so that 
local hostnames which do not appear in the global DNS 
can be resolved. Also, it answers DNS queries for DHCP 
configured hosts and can also act as the authoritative 
DNS server for one or more domains, allowing local 
names to appear in the global DNS. 


OpenBSD 


Inter-vian Routing Over 802.14 
Trunk 


# DNSSEC setup 


F ast Cheernett © 


#dnssec 


———. vilan20 ~ ~} 
#trust-anchor=.,19036,8,2, 49AAC11D/B6F6446702E54A16073716 


192.168.20.0/24 
192.168.20.0/24 O7ALAA LSE SS200FD2Z2CHE IL CDDESZEF2Z4AKRGFBS 


992.168.390.024 


aed | 


viantO 
71892.168.10.0/24 


—} #dnssec-check-unsigned 


Main configuration file for dnsmasgq cache resolver ( /etc/ 
dnsmasq.conf.resolv): 


The dnsmasg DHCP server supports static address 

assignments and multiple networks. It automatically 

sends a sensible default set of DHCP options, and can nameserver 8.8.8.8 
be configured to send any desired set of DHCP options, 
including vendor-encapsulated options. It runs also as a 
secure, read-only, TFITP server to allow net/PXE boot of 
DHCP hosts and also supports BOOTP. The server 
includes a proxy mode which supplies PXE information 
to clients whilst DHCP address allocation is done by Configuration file for LAN VLAN: 
another server. 


nameserver 208.67.220.220 


nameserver 8.8.4.4 


Specifical configuration files for any vlan are stored in 
/etc/dnsmasq.d/vianX.conf file: 


# Configuration file for dnsmasq OpenBsd Vlan Server. 


Configuration files for dns, dhcp and vlan 


interface=vlanl0 


Main configuration file for dnsmasq a DHCP/DNS server ( ee eee me a ee 
/etc/dnsmasgq.cont ): 


# Insert domain after hostname 


# Configuration file for dnsmasq OpenBsd Vlan Server. 
domain=domainl0O.tld 


#no-resolv 
expand-hosts 


no=-poL. 

# Setting DHCP Ranges 
interface=1o0 

dhcpa=range=—vilani0, 197 2168.10.20, 1972. 166g e200 yg Zao e255 s2 0 
no-dhcp-interface=lo 9-0, 48h 


conf-dir=/etc/dnsmasq.d # Static DHCP Settings lan 10 


#dhcp-host=00:0F:FE:33:CD:AE,192.168.10.3 # Asterisk 
Server 


resolv-file=/etc/dnsmasq.conf.resolv 


# Authoritative DHCP SERVER 
#dhcp-host=00:48:54:5B:F8:EB,192.168.10.4 # VAmware 


dhcp-leasefile=/var/log/dnsmasq.leases Server 


dhcp-authoritative 


# Debugging DNS queries # SAMBA/WINBINDD Dhcp Server Options 


log-queries dhep=option=1L9,0 # option ip-forwarding off 
dhep-option=44,0.0.0.0 # set netbios-over-TCP/IP 


#* hogging DHCP transactions. 
nameserver(s) aka WINS server(s) 


log-facility = /var/log/dnsmasq.log 
ohep-opri.0n=45,0.0.0.0 # netbios datagram 


distribution server 
log=dhiep 


dhcp-option=46, 8 # netbios node type 
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#dhcp-option=47 


# VLAN DNS SERVER ID 


dhep-optron=Vilan0, 6, 6+ 1-5..67 010.454 ,1097.1680. 1087 
# netbios node type 


chep-optr1on=vlank0 3,197 166.10. 


| a ba 


#dhcp-option=23, 64 


# Broadcast Address 


dncp=0ptron=26,-l9Ze165. 10.255 


# NTP Server 
#dhcp-option=42,0.0.0.0 
# Domain Name 


dhicp-optLzon=15, domain Oat 1d 


Configuration file for DMZ VLAN: 


# Configuration file for dnsmasq OpenBsd Vlan Server. 
interface=vlan20 


listen-address=192.168.20.1 


# Insert domain after hostname 
domain=domain20.tld 


expand-hosts 


# Setting DHCP Ranges 


dhep=renge=V lanl 0, VIZe Vos <20E20 4192 21662208200 7 VO SeZ 50 125 


D207 Aon 


# Static DHCP Settings lan 10 


#dhcp-host=00:0F : FR: 33:CD:AE,;192..168.20.3 ¢ Asterisk 
SeLVeE 


#dhcp-host=00:48:54:5B:F8:EB,192.168.20.4 # VAmware 
SeEVer 


# SAMBA/WINBINDD Dhcp Server Options 
Ghep-opeion=19;.0 


# option ip-forwarding off 


dhcp-option=44,0.0.0.0 # set netbios-over-TCP/IP 
nameserver(s) aka WINS server(s) 


dhcp-option=45,0.0.0.0 
distribution server 


# netbios datagram 


dhcp-option=46, 8 # netbios node type 


#dhcp-option=47 


# VLAN DNS SERVER ID 


Ghep=O0T 1 On=V Lan 0,.6;.6 6845600; 04 05404; 292. 168.2051 
# netbios node type 


ehep=opta.on=v lan2 0.3 71-92. 166.7 0.1 


ee Ee 


#dhcp-option=23, 64 


+ Broadcast Address 


dhicp=epr1o0n=2 67.197. 263.20. 255 


+ NTP- Server 
#dhcp-option=42,0.0.0.0 
# Domain Name 


dhcp-option=15,domain20.tld 


Configuration file for VOIP VLAN: 


# Configuration file for dnsmasq OpenBsd Vlan Server. 
interface=vlan30 


listen-address=192.168.30.1 


+ LNSerc domain aiter hostname 


domain=domain30.tld 


expand-hosts 


# Setting DHCP Ranges 


ahncp=range—v leans, 192 7160430 .20,192 41666304 200,255%295525 
o40746n 


# Static DHCP Settings lan 10 


Faohcp—host=00:0F : FR: S3:CD:AE,192.168.30.3 # Asterisk 
oerver 


#dhcp-host=00:48:54:5B:F8:EB,192.168.30.4 # VAmware 
server 


# SAMBA/WINBINDD Dhcp Server Options 
ahcp-oprion=19, 0 


# Option ip-forwarding off 


dhcp-option=44,0.0.0.0 
nameserver (s) 


# set netbios-over-TCP/IP 
aka WINS server(s) 


ohcep-option=45,0.0.0.0 
distribution server 


# netbios datagram 


dhcp-option=46, 8 # netbios node type 


#dhcp-option=47 


# VLAN DNS SERVER ID 


Ohep=-Oept1On=—v lan30;6,6.6.5<.0;5<4064.4;7192.160.3061 
# netbios node type 


Ghnep=Cpt1On=Vlans 0,35, L952 <1.66 430.41 


eG 


#dhcp-option=23, 64 


# Broadcast Address 


dhep=cption=26, 192.166.350.259 


# NTP Server 


#dhcp-option=42,0.0.0.0 


# Domain Name 
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dhcp-oplion=l15;domain30.tld 
VPN Concentrator: 


A VPN (Virtual Private Network) is used when one needs 
to create a link between two or more private networks 
over a public network (like the Internet). Once the 
connection is established between the two private 
networks, users will see the opposite network in a 
completely transparent way as if they were physically 
connected to each other. But, you have to keep in mind 
that the maximum connection speed between the two 
networks is defined by the public network. 


Another very important characteristic of the VPN is to 
create a secure communication system so you can rest 
assured even in case you need to transfer confidential 
data. All traffic between the two endpoints of the VPN is 
encapsulated in pre-tunnel. The tunnels can be on 
different levels of the ISO / OSI stack. 


pptp ed I[2tp 


feet i< eee wen Rate 


\4 hee fav 


Main configuration file for L2TP and PPTP VPN server ( 
/etc/npppd/npppd.cont ): 


authentication LOCAL type local { 


users-file "/etc/npppd/npppd-users" 


tunnel LZTP protocol lzZtp -4 


listen on. 0.0.0.0 


if mppe required 

if mppe-key-length 128 

it mppe-key-state stateless 
TiSten On 24 


Lpep LPCP=l27P° 4 
pool—address 10.10,0,2=10,, 10.0 254 


dns-servers 8.8.8.8 


tunnel PPTP protocol pprp 4 
listen on 0.0.0.0 
pptp-vendor-name "openbsd-npppd" 
mppe required 
mppe-key-length 128 
mppe-key-state stateless 


idle-timeout 3600 


pep TPCP=PPrIP 4 
oboGl=—address. 104 10..10,2=10.190 1-0 7254 


dns-servers 8.8.8.8 


interface ppopx0 address 10.10.,0.1 apcp ITPCP=LATP 
bind tunnel from L2TP authenticated by LOCAL to pppx0 
intertace pppxl address 10.10.10... tpoep LPCP=PPIP 


bind tunnel from PPTP authenticated by LOCAL to pppxl 


Main configuration file for L2TP and PPTP VPN server 
user credentials ( /etc/npppd/ npppd-users): 


iat He at at ae aE aE ae aE aE ae aE aE Ae a aE aE aa eae ae ae 
tit Ht 


# PPTP Users PASSWORDS 


it at ae aE at ae aE aE ae aE aE ae aE aE ae aE Ea aE aE aaa 
tit Ht 


pptp01:\ 
:password=pptpO0lpassword: \ 
il? yo OE 
:password=12tp01: \ 


iat ae aE at ae aE at ae aE aE ae ae aE ea aE aE aa eae ae ae 
tit Ht 


# L2TP Users PASSWORDS 


iat ae at at ae aE at ae aE aE ae ae aE ae a aE aE a ae ae aE ae 
ttt 


ipsec site to site ed ipsec/I2tp 


Main configuration file for L2TP/IPSEC and SITE-TO-SITE VPN 
server (/etc/ipsec.conf): 


it at ae AP at ae aE aE Ae aE aE ae ae aE ae a aE aE a ae ae aa 
it 


# LPSEC. LKEVL L2tp 


it at ae a at ae aE ae ae aE aE ae ae aE Ae a aE aE a aE eae aE ae 
it 


IF WAN="em0" 

key="i1psecl2tpkey" 

# Only for old OSes and Devices!! 

ike passive esp transport \ 
proto udp from SIF WAN to any port 1701 \ 
main auth hmac-shal enc 3des group modp1024 \ 
quick auth hmac-shal enc 3des \ 
psk Skey 


itt ae iP at ae aE aE ae aE aE ae aE aE ae a aE ea aE eae aE 
tit tt 


it IPSEC IKEvl Site-to-Site 


CVt(t.ti(ijitHtjtHtjtHtjtHtjtHRjHR—R—PP ee ee 
it if 
local 1p="192..166;:44.240" 


local network01="192.168.20.0/24" 


local network02="192.168.10.0/24" 


Ppemotve 1p="192. 1608.44.50" 
remote network01="192.168.202.0/24" 


remote network02="192.168.203.0/24" 


ike esp from $local_ network01 to Sremote network0l peer 


Sremote ip 
ike esp from $local_ network02 to Sremote network02 peer 
Sremote ip 
ike esp from $local_ ip to Sremote network0Ol peer 
Sremote ip 
ike esp from $local_ ip to Sremote network02 peer 
Sremote ip 


ike esp from $local_ip to $remote ip 


OpenVPN Server for Road Warriors 


useradd -d /home/openvpn/userltcp -m -s /usr/bin/false 


=9 Opsnvpn =G . -openvpnusers —p *userltcplzZ3” wuserlicp 


There are troubles as a result of using punctuation marks 
in password field. 


cd /etc/openvpn/udp/ 
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cp -R /usr/local/share/easy-rsa/ 
cd easy-rsa/ 

cp vars.example vars 

nano vars 
./easyrsa init-pki 
./easyrsa build-ca nopass 
./easyrsa build-server-full server nopass 
./easyrsa gen-dh 


mkdir /etc/openvpn/udp/certskeys 


cp /etc/openvpn/udp/easy-rsa/pki/private/server.key 
/etc/openvpn/udp/certskeys/ 


cp /etc/openvpn/udp/easy-rsa/pki/issued/server.crt 
/etc/openvpn/udp/certskeys/ 


cp /etc/openvpn/udp/easy-rsa/pki/ca.crt 
/etc/openvpn/udp/certskeys/ 


cp /etc/openvpn/udp/easy-rsa/pki/dh.pem 
/etc/openvpn/udp/certskeys/ 


The /etc/openvpn/tcp/serverTcp.cont: 
dev tun 

proto tcp 

port 443 


## certs we created earlier 


ca /etc/openvpn/tcp/certskeys/ca.crt 
cert /etc/openvpn/tcp/certskeys/server.crt 
key /etc/openvpn/tcp/certskeys/server.key 
dh /etc/openvpn/tcp/certskeys/dh.pem 


user (openvpn 


group _openvpn 


## You can make this any private subnet you like 


Server 10e192 20.0 2556259 +.25020 


persist-key 


persist-tun 


keepalive 10 120 


Conp-1z0 


client-to-client 


## make this connection the default gateway for network 
Eratst 1c 


#push "redirect-gateway def1" 
fousch."“dhep=option’ DNS “8.8 .38..6" 

DUS. ““SOUre~ 10071-6384 1020: Zo oh ZO Owe 
push “route: 192.168.2040 255.2555 25550" 
push "route: 192.168.8000: 2554255. 25000" 
status /var/log/openvpn/openvpn-status.log 
log-append /var/log/openvpn/udp.log 
verb 3 

elilene-Gert—net-required 
username-as-common-name 

SCYriIpE=SeCUurity 3 system 


auth-user-pass-verify /usr/local/libexec/openvpn bsdauth 


vVia-env 


FAULT H=USEer=pass=-VerEry /usr/ locals Libexéec7 openvpn bsdauth 
via-file 


## A management interface allows you to telnet from local 
host, LO: use 


ae Pelee. Iho@aLmosh. Tous 


#management localhost 7505 


The /etc/openvpn/udp/serverUcp.conf: 
dev tun 

proto udp 

port 1194 


Pe Certs we. Created carl ier 


ca /etc/openvpn/udp/certskeys/ca.crt 
cert /etc/openvpn/udp/certskeys/server.crt 
key /etc/openvpn udp/certskeys/server.key 
dh /etc/openvpn/udp/certskeys/dh.pem 


user (openvpn 
group _openvpn 

## You can make this any private subnet you like 
server 10... 292.0%.)0 2oo +2 os Zoo «0 

persist-key 


persist-tun 
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keepalive 10 120 
Comp =1726 
client-to-client 


## make this connection the default gateway for network 
Ean E eG 


#push "redirect-gateway def1" 

foush- “dhep-option DNS:-8. 8.38.8" 

push “wowre 192: 160 slL0..0 255. 7255.755.0" 
push. "SOuUte LO? 168 220.0) 255.725537 55.0." 
push. "Toure: Lol sl oe. 300! 2554255525500" 
status /var/log/openvpn/openvpn-status.log 
log-append /var/log/openvpn/udp.log 
verb 3 

Ghient=cerc=nor=requared 
username-as-common-name 

script-security 3 system 


auth-user-pass-verify /usr/local/libexec/openvpn_ bsdauth 


via-env 


#auth-user-pass-verify /usr/local/libexec/openvpn bsdauth 
via-file 


## A management interface allows you to telnet from local 
host Pocsus¢e 


Pee Pe kaa: ocadnost. 15.06 


#management localhost 7506 


Automated start of OpenVPN Server: 


root@obsd6-fwgw[/etc]cat /etc/hostname.tun0 

up 

group openvpn 

deseriptzen. “OpenVPN to: local -net. 1927.168..200..%" 


'/usr/local/sbin/openvpn --daemon --config 
/etc/openvpn/udp/serverUdp.conf --dev Sif 


root@obsd6-fwgw[/etc]cat /etc/hostname.tunl 

up 

group openvpn 

descripEron “OpenVPN o> local Net “L97.160.200.5" 


'/usr/local/sbin/openvpn --daemon --config 
/etc/openvpn/tcp/serverTcp.conf --dev Sif 


The client file clientTcp.ovpn: 

### Sample client-side OpenVPN 2.0 config file. 
# Specify that we are a client and that we 
# will be pulling certain config file directives 
# from the server. 

client 

dev tun 

DEOLO--bCp 

# The hostname/IP and port of the server. 
remote 192.1608.44.40 443 

# host name of the OpenVPN server. Very useful 

# On machines which are not permanently connected 
# to the internet such as laptops. 

resolv-retry infinite 

# Most clients don't need to bind to 

# a specific local port number. 

nobind 

comp-1zo adaptive 

# Try to preserve some state across restarts. 
persist-key 

persist-tun 

# Certificate Authority 

Pca CasCrE 

# Username/Password authentication is used on the server 
;auth-user-pass 

FDS -CErc-LEype Server 

auLhn=-user—pass Logon. txt 

# Set log file verbosity. 

verb 3 

; For Windows 7 and 8 systems 

route-method exe 

route-delay 2 


<~Ca> 
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MI IDJDCCAgygAwIBAgIJAI khwzEGfePJMA0NGCSgGS1Ib3DQEBCWUAMBEXD 
ZANBgNV 


BAMMBnN1cnZ1cjAeFwOxNjEyMjEXMDISMTJaFwOyNjJEyMTkKxMDI5MTJaM 
BEXDZAN 


BgNVBAMMBnN1cnZ1cjCCASITwDQYJKoZ ThvcNAQEBBQADggEPADCCAQo0Cg 
gEBANEp 


9xJ9IRu3IJcopA5gqu3 9vxPHZqwM2mdLvA5b8tAt+An91LYqk/wvM/Aviv/Wb4 
e9“4l5dx 


mH3tcNxELnigbbhiwwbTzQi9H1cvPPhAJhXA10i1 92ZawhKMw43VdKioic4 
vsc2fiR 


+cezuD/h17BOcgn5j 2WpUVBBzbKF6APzkX+ 7 6GNVxsWppZ0QHL9YaCO3Fdh 
MKzHVD4 


scOJSaqg+f£9z50qeZ/ZG5RF/e55bfoyWtsmAts+eMsaoJLCBRbxnSCcEv 
uzwomlC 


WoVM6ULVsedxXxxXqqgj] jaJ8OTGO ynmGr+B8deVWYgXIvVALIAOJh2zYi5Ur 
87dT8ni 


zZSkKRLAgwSqTPk+CwXI 0CAWEAAaN /MHOWHOYDVROOBBYEFGWCOOpAOpJ1iQ 
Zi 7 m9 


T23qp / DWMEEGALUdIwQ6MDiAFGWCOOpAOpJiOz7/h4jm9T23qp/DwoRWkE 
ZARMO8w 


DOYDVQQDDAZzZXI2ZXKCCQOCJICMxBn3j yTAMBgNVHRMEBTADAQH/MASGA 
1UdDwQE 


Aw1IBBjANBgkqhkiG9w0BAQs FAAOCAQEAUXNkoLHUnT5GFVZqw4nJ0cZv/ 
jWMK9OS 


Sk+6WjuMhyYG6esz9X3WFOM8K8tXlmOL6w6NLn9cj 6APS7C81iWdccbhR8 
UyLIPJo 


amcax/Cmpr51ZwYLgPScwBEi6SMScb/1xdPEKdgqCQbNeZwiIkQl11BfKziNn 
nhxu/ on 


PSWAKWOOYQRQnoOSU8HC7 I DRLwnLAgl7oNdrwM9 9M3TT3534TOkIX+4SqR 
ZPADbDOF 


kqlaGB0O1zT9SzsOYB5gkwLMYdZcgVGMaiHFiya0elW7/1x7oN9AEEZQGX8 
nM+pCVL 


HILJH£fjRGShHC6m1i ZXTGNMPX5B7GBrzDV8EgacTqdmoWPNCkPCKkXePw== 


</Cae 


The client password file password.txt: 


userltcp 


userltcp123 


Firewall complete script 


After you have installed and configured all the services 


seen so far, it remains to complete the final step, the 


configuration of the firewall Packet Filter, which will act 


as "glue" and arbiter for all the connections of the 
company network. 


it tt Ht Ht tH HE EH EE EH EH EOE EE EE OEE EE HE EE 
it pf.conf openbsd 6.0 domain.tld it 
# with vlan/nat/dhcp/dns services if 


iat ae aE at ae aE at ae aE aE ae aE aE ae a aE ae a ae ae 


itt Ht te tH Hoe oe Ee OE Ee EE 
# macros section start # 
itt Hit Ht He tH oe eee OE Ee EE 
ext. t=" emg” 

ext ip="192.168.44.40" 
ext net="192.168.44.0/24" 
Ln b= viens” 

diz: VES 0" 

VOLp TiS" lans0" 

lan lan="192.168.10.0/24" 
dmz lan="192.168.20.0724" 
Voip Tan="192..168 300/24" 


bun 2is="() un, und; tunZs- tunS;.. Cuna Eunos ,;? Lune, 
Uti >. “EN Op ean 


PPppx Tis="{ “pppx0;- pppxly: (PppsZ;- Pppx3; “pppx4,. Ppp Roy 


Pppx6, pppx7, pppxs, pppxg9 }" 


CCD Serv LCee = {2p Sl Oy...or. +" 


UCD ese RV LeSea ny Soe: dor aps 


Lcmp -types="echoreg” 


web services = "{80, 21, 443}" 


GoogLe: ns="{64 840.8, See 4045" 


obsd. repo="193.206.140:..37" FOpenbsd.mirvror.darr sit 


PPUp Services. = Ma gee ay eye 


IPSec ‘Servuces. Sf 90%. SO0g 4500.2) 
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OVpN services. 0) oa 


EZ Serv nee sera tt Tr Gsl gL ee 


### Tables 


table <blocked> persist file "/etc/blocklist" 


table <bruteforce> persist 


# TPSEC VPN TABLES 


able <vpn pSeere> Conse 1-19 26160244 .50 7} 


iat ae aE at ae aE aE ae aE aE ae aE aE ae a aE ae aE aaa Ea 


### Matching Internal/external IPs for Natting ... 


HHEHEHEH EH GHG HGH GH EE HE HF 
# macros section end # 


it at ae at at ae aE at ae aE ae ae a aE eee oe 


HEEEEEEEEEEEEEEE EEE EEE EEE 
# options section start # 


itt ae at at ae at at ae aE ae ea Hee ee eT 


set block-policy return 
Set -lLoginréerriace Sexty tr 


set skip: on {, 10, enced, gred’ } 


# FTP Proxy rules 


anchor “ftp=proxy/>" 


pass On Sint 1 Inet. proto: tep from-Sexe_ ur pork > 1023 
bO- pore TED divertsto 127.0. 00 Dork. 307i: 


pass: On SdmzZ 16 anes probe. cep.-Trom Sexe 2k pork > 1023 
EO. DOT. “Up «divert =to- 127 040. pores S0zL 


pass On=Sext 15 inet pueLo Lep Teom “sexe: af port. 221073 
LO pOrer ep -Givert=to wi 30 0. pe re. 6077 


# ftp out from ftp-proxy and local machine, allow passive 


a oe Bl 

pass OuL log on Sexl 1f inet proto tep from (Sext. 17) 
port > 1023 to any port ftp modulate state 

pass .oUL 10G On SExt.1f inet prove tep from (Sext. 17) 
port 54999><56999 to any port > 1023 modulate state 

pass: GUL 10G -0n-Sext 17 inet proloe tcp from: (Ssext.17) 
port. > 1023 to any port. > 1023 modulate state 

pass. an loo-on:SdmzZ 11 Annet. prolo Lep. Lom. Sexe af port. > 
1023 to any port > 1023 modulate state 

pass on Jog On 21nU. 18 Inet provo Tep Drom Sex if port, > 
1023 to any port > 1023 modulate state 

Pass on log Of Sex a1 1net Proto Lcp Trom Sext. aif port. > 
1023 to any port > 1023 modulate state 


HEEEEEEEEEEEEEEEE EEE EEE EE 
# options section end # 


tat ae at at ae aE at ae ae aE oe aE eee eT 


7¢ <== NAT SECTION START ==> 4 


HHEHEHEHGHE EEG E HEH EE HE HF 
# nat “oles Stare # 


it at ae at at ae ae at He ae ae ae a Hee ee 


### DMZ NAT 1:1 


## Host twecomain!0; Local. 
rw Sey tie" 2972 hoe. c0sd™ 


cw Sty CxL=" 192.160.4420" 


pass. 2n ‘On -SSxl 1f amet Provo LCcp To. Siw Srv ext: port 
Loop ep ope toy. 2o) £0r-0O Siw sry int Keep Stare 


Pass: 1M On SEkt 1f Inet proto udp Co: Siw Srv ext port 
bosp loo) POLLO Siw cry amt keep State 


pass. OuUL quick log on Sext 1f inet from Siw srv int to 
any nat-to $fw_ srv_ext 
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## Host wwwl.domain20.local 
Www Sey ante" 192 el68.20.40" 


wwwl srv_ext="192.168.44.41" 


pass out quick log on Sext_if inet from Swwwl_srv_int to 
any nat-to Swwwl srv_ext 


pees: 2m log.quack Of-SexU. 18 Inet pEClo cop to 
Swwwl srv_ext port 80 rdr-to Swwwl_srv_int port 8000 


+ Tar=—Lo firewall ITP 


#pass in log on Sext_if inet proto tcp to 
80 rdr-to Swwwl_ srv_int port 8000 


(Sext 11) port 


Ppess: 10 Log quick Om Sexe 12 inet. prole Teo to 
Swwwl srv_ext port {22,443} rdr-to Swwwl_srv_int keep 
State 


### Host aSterisk.domainZ0. local 
asterisk sry int="192.168.20.4" 


asterisk Srv @xt="192.166.44.42" 


pass 1 On Sex. 1f i1m6t. Proto Lep To Sasterisk Srv ext 
port: 422;,443,:5222, 7771, 9090, 9091, 5060) rdr=to 
PaSterisk Srv_int. keep state 


pass in On Sext. 1f 1Meét. proto udp to Sasterisk Srv ext 
port 
{5060,4596,5036,2/27 5222, 1177; 9090, 9091, 9999><20001} 
POr=CO Sasterisk sry 1nt. keep state 


pass Out quick Jog on Sext if inet from Sasterisk srvy_int 
LO -any Nal-lO Sasterisk sry ext 


# binat-to example 


#pass quick log on Sext_if from S$presenze srv_int to any 
Dinat= LO, Spresenze Srv ext 


HHEHEHEHEH GHEE GH GH EE HE HF 
# Maton: tiles: Stare t 


tat ae at at ae ae ae ae a HE ea Hee ee HT 


### TLANS NAT MANY:1 


Macch Out Om Sext. 1f trom Glan. Jan nat=-Co: (9ext.17) 


Meat eh out on.Sext: AT rom. sdmz< ban mat-toO“(oextr 17) 


Match Out on SExt 26 from Svomwp dan Mat—-to: (Sext. 42) 


itt ae at at ae at at ae aE aE ae a aE ee ET 


# IMateh rules end # 


itt ae at at ae ae at ae ae at ae a ae ee oe 


i <== NAT. SECTION.-BND? 22> 4 


tat ae at at ae ae at ae aE at ae a aE ee eT 


# Filter i Wes Start. te 


itt ae at at ae aE at ae aE aE ea Hee eee 


block. an. Log 


Dbbock.” bog «ald 


HHH HT # 
# Global Block Section start 


tat tt HH 


fOLOCK in GQuuck-on Sext. 12 inet proto tcp Trom “any °co 
enaslo“srv int pork 21 


HHH HT # 
# Global Block Section End 


tat rt HH 


pass out quick 


pass quick on Sext if from Sext net 


ANELSpPOOL. Quick sor 4- Jo Sint 1 Sdme at Svoipra ty 


bLOCk. 1m ShOG: -On SExt at from <DLOGked> «Lo: any 


block guick from <bruteforce> 
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Passi. 1m: -Om SSxt -1f Ane. prOloe -cep. Trom™any TOU Sexl- 2p 
POL Seep services 


Pass" an On. SSkKEsLE 2NeuU. proto Udpuirom- any bo 2ext 1p 
port Sudp services 


Pass OUL--On Sext. ut aNeL proto UCp. Trom).Sext .1p to 
PObSd repo. Pore “(80,2 )~ keep: Stare 


Pass En “On ASSxE,1f ANnee proeo’ Lop from Sobsd. repo ‘Lo 
POXt 1p pone, 80 ,zL)} keep: state 


## enable Google public NS 


Pess--1n.- OM Sexe ct Prove a leo, udp} trom -Sgo0g lems “Eo 
any port 53 keep state 


Pass: 0OUL “ON SGxt Er ProOlo: tiep;- Udp)-Erom SGoogle 1s. co 
any port 53 keep state 


Pass 1 On. 91nt: 1t proce’ 4 bep,. udp} from sgoogle ns: to 
any port 53 keep state 


Pass GUL “On. Sint» LE Proto 1tep;. udp} Brom Sqo0gle ns to 
any port 53 keep state 


passion Sdmz LE «prove 4 Cepy: UdpP trom sGoog Le: ns: 7o 
any port 53 keep state 


pass Out On, Sdmz_ if prove: {Lep,. udp): ‘trom, Sqooghe- ns co 
any port 53 keep state 


Pass «in ON) SSxt VE proto UCD Erom any to any port’ Zl keep 
State 


Pass: 1 ON ySSxG.1 FE -pLovo: top. fromvany bo: any pork. > “429151 
keep state 


pass OUL-On) Sext 1f proto tcp from any Lo (any port: Zi 
keep state 


pass OuUL On Sext.2f prolo: tep. Erom-any LO any pore. > 
49151 keep state 


Dass: LY On sexe LE Provo: veep -TLrom Sobsd.tepo: to: any pore 
{80,21} keep state 


pass: -OUL Om Sexo. Tr Prolo: ep rom, SoObSd:  Tepo -bO<any port 
{80,21} keep state 


pass 1 On. o1nt. 1 prove ‘tcp from. Sobsd -répo to any port 
{80,21} keep state 


pass: GUL “On: Sinta1f- proto tep from Sobsd: repo to any port 
{80,21} keep state 


pass log inet proto tcp from any to any port ssh flags 
S/SA keep state (max-src-conn 5, max-src-conn-rate 5/30, 
overload <bruteforce> flush global) 


OpenBSD 


HHH HHH HEH HEH HEH HE EH EH HF pass out quick log on Stun ifs keep state 


# filter rules end # 


HEH HHH HH EEE HH HH HH EE EE FF 
#HH#HE Pptpd/L2tpd Ruleset 


#Pptp Vpn Rules 


HEH HH HH HE EH HH EH HE HEE pass in quick on $ext _if proto tcp from any to Sext_ip 
port = 1723 modulate state label "Pptpd" 


# final ruleset start # 
pass in quick on Sext_if proto gre from any to $ext _ip 


itt ae at at ae ae at ae a aE ae Hee ee keep state 


pass -OUL Quick. on Sext_ if proto gre from Sex ip to any 
keep state 


ttttttt#t Vpn Section Start pass in quick log on Spppx ifs all 
pass out quick log on S$pppx ifs all 
#L2tp Vpn Rules 


###HHE OpenVpn Ruleset 


pass. 10° quick Om Sex 1f proco. “udp Lrom any to any port 


pass in on Sext_if proto udp from any to any port 1194 {17, 1701} keep state label "L2tpa" 
pass out on Sext if proto udp from any to any port 1194 pass on encO from any to any keep state (if-bound) 
pass in guick proto udp from any to port 1194 keep state pass in quick log on $tun ifs all 


label "Openvpn" 


pass out quick log on $Stun_ifs all 
pass if Quick On S6xt.i1f proto udp from any to Séxt 1p 


port = 1194 modulate state ##### Ipsec/L2tpd Ruleset 


pass. 1n On SUUn ©ts 1nel procvo: 1 tcp,Uudp, 1cmp} from any co ase Gui micee: @ See, Sh een em ee Sa 


any flags S/SA keep state 


pass in Quick Om Sekt af proto Udp from any to any port 


pass -OUL On. Stun ats 1net proto {tcp,;udp; icmp}. from any (S00; 1500; 190Le k6es- state Tabet Vipsserorsd” 


to any flags S/SA keep state 


. . pass on encO from any to any keep state (if-bound) 
pass an quick log On Stun 1ts keep state 


vian10 JA 


19? 168.10.0/24 '92 168 DOD)? 92.168.10.0/2 t92 168.20.0/24 
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##HH# Tpsec Site-to-Site Ruleset switchport access vlan 30 


pass out quick on egress proto esp from (egress:0) to no shutdown 
<Vpn peers> keep State 


interface range fastethernet1/11 - 15 
pass out quick on egress proto udp from (egress:0) to 
VON peers DOrL Lo, 4500 } keep state Switchport mode access 


Pass in quick on egress proto esp from <vpn. peers> To switchport access vlan 20 
(egress:0) keep state 


no shutdown 
Pass- i-GQuLCK On egress. proco udp from <vpn peers to 


vegtess+ 0) POF 100; BU) ‘keep state interface range fastethernet2/1 - 15 


Switchport mode access 


##e#HHHE Von Section End Switchport access vlan 10 


' no shutdown 
pess 10. INeL prove icmp oll acmp=-type Sicmp. types 


; exit 
Pass: 20-Om Sint. Le 


CO Eo Svar 
pass- in -on.Sdmz if PY 


Conclusions 


HEEHPEPHPAHHEEPPERHEERHE ES 
As we have seen, OpenBSD makes possible the creation 


fee eae of a Gateway Router Firewall and a multi VPN 
concentrator. The level of security it can give is very high 
both for SOHO or enterprise infrastructures. Therefore, 
OpenBSD proves to be a great alternative to using a 
dedicated and expensive hardware equipment, plus it's 


it at ae at at ae at at ae aE at He ae Hee ee oe HT 


Cisco Switch simple configuration for Main office Vians: Open-Source. 
enable 

vlan database 

vlan 10 name MainOffice-VlanLan 

vlan 20 name MainOffice-VlanDMZ 


vlan 30 name MainOffice-VlanVoip 
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cont 


interface FastEthernet 1/0 


Switchport mode trunk 


eechcene ie Hiieued wa att freelance columnist for Italian magazines such as 
no shutdown "Linux & C" http://www.oltrelinux.com/, 


"LinuxMagazine" http://www.linux-magazine.it/ and 
"Elettronica OpenSource? hitp://it.emcelettronica.com/. 


interface range fastethernet1/1 - 10 


Switchport mode access 
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HOW IMPORTANT IS YOUR DATA? 


Years of family photos. Your entire music 
and movie collection. Office documents 
you've put hours of work into. Backups for 
every computer you own. We ask again, how 
important is your data? 


NOW IMAGINE LOSING IT ALL 


Losing one bit - that’s all it takes. One single bit, and 
your file is gone. 


The worst part? You won't know until you 
absolutely need that file again. Example of one-bit corruption 


THE SOLUTION 


The Mini boasts these state-of-the- 
art features: 


The FreeNAS Mini has emerged as the clear choice to 
Save your digital life. No other NAS in its class offers 
ECC (error correcting code) memory and ZFS bitrot 
protection to ensure data always reaches disk 
without corruption and never degrades over time. 


¢ 8-core 2.4GHz Intel® Atom™ processor 

« Up to 16TB of storage capacity 

¢ 16GB of ECC memory (with the option to upgrade 
to 32GB) 

¢ 2x 1 Gigabit network controllers 

¢« Remote management port (IPMI) 

¢ Tool-less design; hot swappable drive trays 

« FreeNAS installed and configured 


No other NAS combines the inherent data integrity 
and security of the ZFS filesystem with fast on-disk 
encryption. No other NAS provides comparable power 
and flexibility. The FreeNAS Mini is, hands-down, the 
best home and small office storage appliance you can 
buy on the market. When it comes to saving your 
important data, there simply is no other solution. 


systems 


Intel, the Intel logo, Intel Atom and Intel Atom Inside are trademarks of Intel Corporation in the U.S. and/or other countries. 


FREENAS 


CERTIFIED 
STORAGE 


With over six million downloads, 
FreeNAS is undisputedly the most 
popular storage operating system 
in the world. 


Sure, you could build your own FreeNAS system: 
research every hardware option, order all the 

parts, wait for everything to ship and arrive, vent at 
customer service because it hasn't, and finally build it 
yourself while hoping everything fits - only to install 
the software and discover that the system you spent 
days agonizing over isn’t even compatible. Or... 


MAKE IT EASY ON YOURSELF 


As the sponsors and lead developers of the FreeNAS 
project, iXsystems has combined over 20 years of 
hardware experience with our FreeNAS expertise to 
bring you FreeNAS Certified Storage. We make it 
easy to enjoy all the benefits of FreeNAS without 
the headache of building, setting up, configuring, 
and supporting it yourself. As one of the leaders in 
the storage industry, you know that you're getting the 
best combination of hardware designed for optimal 
performance with FreeNAS. 


Every FreeNAS server we ship is... 


» Custom built and optimized for your use case 

» Installed, configured, tested, and guaranteed to work out 
of the box 

» Supported by the Silicon Valley team that designed and 
built it 

» Backed by a 3 years parts and labor limited warranty 


http://www.iXsystems.com/storage/freenas-certified-storage/ 


Msystems 
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As one of the leaders in the storage industry, you 
know that you're getting the best combination 

of hardware designed for optimal performance 

with FreeNAS. Contact us today for a FREE Risk 
Elimination Consultation with one of our FreeNAS 
experts. Remember, every purchase directly supports 
the FreeNAS project so we can continue adding 
features and improvements to the software for years 
to come. And really - why would you buy a FreeNAS 
server from anyone else? 


FreeNAS 1U 

« Intel® Xeon® Processor E3-1200v2 Family 

« Up to 16TB of storage capacity 

¢ 16GB ECC memory (upgradable to 32GB) 

¢ 2x 10/100/1000 Gigabit Ethernet controllers 
« Redundant power supply 


FreeNAS 2U 
- 2x Intel® Xeon® Processors E5-2600v2 Family 
- Up to 48TB of storage capacity 
¢ 32GB ECC memory (upgradable to 128GB) 
¢ 4x 1GbE Network interface (Onboard) - 
(Upgradable to 2 x 10 Gigabit Interface) 
« Redundant Power Supply 


(intel) 
inside’ 
XEON’ 


Intel, the Intel logo, the Intel Inside logo and Xeon are trademarks of Intel Corporation in the U.S. and/or other countries. 


OPNsense 


OPNsense Is an open-source, easy-to-use and 
easy-to-build FreeBSD based firewall and routing 
platform. OPNsense includes most of the features 
available in expensive commercial firewalls, and more 
in many cases. It brings a rich feature set of 
commercial offerings with the benefits of open and 
verifiable sources. 


OPNsense started as a fork of pfSense® and mOnOwall 
in 2014, with its first official release in January 2015. The 
project has evolved faster while still retaining familiar 
aspects of both mOnOwall and pfSense. A strong focus 
on security and code quality drives the development of 
the project. Weekly, OPNsense offers security updates 
with small adjustments to react on new emerging threats 
within in a fashionable time. A fixed release cycle, two 
major releases each year, offers businesses the 
opportunity to plan upgrades ahead. For each major 
release, a roadmap is installed to guide the development 
and in setting out clear goals. List of OPNsense features: 


- Traffic Shaper 
- Two-factor authentication throughout the system. 
¢ Acaptive portal. 


¢« Forward Caching Proxy (transparent) with Blacklist 
support. 


¢ Virtual Private Network (site-to-site and road warrior, 
IPsec, OpenVPN & legacy PPTP support). 


¢ High availability and Hardware Failover ( with 
configuration, synchronization and synchronized state 
tables) 


Intrusion Detection and Prevention mechanism. 


Built-in reporting and monitoring tools including RRD 
Graphs. 


¢ Netflow Exporter. 

¢« Network Flow Monitoring. 

¢ Support for plug-ins. 

¢« DNS Server & DNS Forwarder. 

¢ DHCP Server and Relay. 

¢« Dynamic DNS. 

« Encrypted configuration backup to Google Drive. 
¢ Stateful inspection firewall. 

¢ Granular control over state table. 

¢ 802.1Q VLAN support. 


The feature set of OPNsense includes high-end features 
such as forward caching proxy, traffic shaping, intrusion 
detection and easy OpenVPN client setup. The latest 
release is based upon FreeBSD 10.2 for long-term 
support, and uses a newly developed MVC-framework 
based on Phalcon. 

OPNsense’s focus on security brings unique features 
such as the option to use LibreSSL instead of OpenSSL 
(selectable in the GUI), and a custom version based on 
HardenedBSD. 

The robust and reliable update mechanism gives 
OPNsense the ability to provide important security 
updates in a timely fashion. 


The software setup and installation of OPNsense® is 
available for x86-32 and x86-64 bit microprocessor 
architectures. 


Embedded vs. Full 


Full installs can run on SD memory cards, solid-state 
disks (SSD) or hard disk drives (HDD). 


The main differences between an embedded image and a full image are: 


Embedded 
Uses NanoBSD 


Writes to RAM disk 
No log data retention after reboot 
Not intended for local disk writes 


Embedded only use 
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Full 
Uses FreeBSD 


Writes to local disk 
Log data retention after reboot 
Suitable for disk writes. 


Can enable RAM disk for embedded mode. 


Since the release of version 15.1.10 (04 May 2015), the 
option to install an embedded OPNsense image is also 
supported. Embedded images (NanoBDS) store logging 
and cache data in memory only, while Full versions keep 
the data stored on the local drive. A full version can 
mimic the behaviour of an Embedded version by 
enabling RAM disks, this is especially useful for SD 
memory card installations. 


OPNsense VS PFsense 


They have numerous similarities. When you setup 
OPNsense for first time, you might think it’s Pfsense with 
a different GUI.In fact, they are similar. However, in my 
opinion, Pfsense GUI is easier to use but OPNsense has 
a faster GUI. 


Advantages of OPNsense: 
- Faster GUI(lighttpd). 
- Better Security Update. 


¢« UEFI Support (OPNsense supports UEFI and Pfsense 
“not”). 


More Clear License (OPNsense is available under the 
BSD 2-Clause “Simplified” or “FreeBSD” license:) 


Virtual Firewall 


A virtual firewall (VF) is a network firewall service or 
appliance running entirely within a virtualized 
environment and offers the usual packet filtering, and 
monitoring provided via a physical network firewall. 
Virtualized firewall is not the best solution. A separated 
firewall appliance is more convenient but setup VF is 
more cost effective. In this section, we will setup 
OPNsense on Bhyve. Bhyve (pronounced "bee hive", 
formerly written as BHyVe) is a type-2 hypervisor/virtual 
machine manager for FreeBSD. It was introduced in 
FreeBSD 10.0 and supports most Intel and AMD 
processors that report the "POPCNT" (POPulation Count) 
processor feature in dmesg(8). The Bhyve BSD-licensed 
hypervisor became part of the base system with 
FreeBSD 10.0-RELEASE. This hypervisor supports a 
number of guests, including FreeBSD, OpenBSD and 
many Linux distributions. Currently, Bhyve only supports 
a serial console and does not emulate a graphical 
console. Virtualization offload features of newer CPUs are 
used to avoid the legacy methods of translating 
instructions and manually managing memory mappings. 
The Bhyve design requires a processor that supports 
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Intel Extended Page Tables (EPT), AMD Rapid 
Virtualization Indexing (RVI) or Nested Page Tables (NPT). 
It runs FreeBSD 9+, OpenBSD, NetBSD, Linux and MS 
Windows desktop (versions Vista, 7, 8/8.1/8.2 and 10), as 
well as MS Windows Server (versions 2008/2008R2, 
2012/2012R2 and 2016 Technical Preview 2 and 3) 
guests. 


Lately, libvirt supports Bhyve as well. But personally, | 
prefer to utilize Bhyve from the shell. Also, there are 
FreeBSD packages that were created to make life easier 
like CBSD and VM-Bhyve. 


Recently, the Bhyve hypervisor supports Unified 
Extensible Firmware Interface Graphics Output Protocol 
or "UEFI-GOP". It means that you can easily run any 
modern OS without pain. 


OPNsense installation on Bhyve 


Presently, Bhyve supports UEFI-GOP in FreeBSD 
11.0-RELEASE. 


OPNsense requirements: 
¢ Minimum required RAM is 1 GB. 
¢ Minimum recommended virtual disk size of 8GB. 


-: Install FreeBSD 11.0. You can also install FreeBSD 
11.0 or any latest builds. 


2. Retrieve the firmware binary. We must first install 
“bhyve-firmware”. The best way to achieve this goal is to 
install with port mechanism. This process is very 
time-consuming and demands intense user-interaction. 
Nonetheless, with some tricks, it can be easily done with 
the following commands: 


# cd /usr/ports/sysutils/bhyve-firmware 
# make install clean -DBATCH 


-DBATCH forces a port building process to not 
prompt you for confirmation and does it automatically. 


3: Hypervisor, Network and Storage Preparation 
# kidload vmm 


This command will either load bhyve kernel module or a 
driver. 


# ifconfig tapO create up 


This command creates a new interface and makes it up. 
# ifconfig bridgeO create up 


This command also creates a bridge, makes it up and 
ready to use. 


# ifconfig bridgeO addm em0 

This command adds emO(network interface) to bridgeO 
# ifconfig bridgeO addm tap0 

This command adds tap0 to bridgeO. 
# truncate -s 50G OPNsense.img 

This command creates a file with 50GB size. 

4. Prepare OPNsense ISO 


#fetch 
http://mirror.ams1.nl.leaseweb.net/opnsense/release 


s/mirror/OPNsense-17.1-OpenSSL-cdrom-amd64.iso. 


bz2 


# bunzip2 
OPNsense-17.1-OpenSSL-cdrom-amd64.iso.bz2 


oe Boot a Virtual Machine 
# bhyve -c 2 -m 4G -w -H \ 
-s 0,hostbridge \ 
-S 


3,ahci-cd,OPNsense-17.1-OpenSSL-cdrom-amd64.is 
o \ 


-S 4,ahci-hd,OPNsense.img \ 

-s 5,virtio-net,tap0 \ 

-S 29,fbuf,tcp=0.0.0.0:5900,w=800,h=600, wait \ 
-s 30,xhci,tablet \ 

-S 31,lpc -| com1,stdio \ 


-| 
bootrom,/usr/local/share/uefi-firmware/BHYVE_UEFI. 
fd \ 
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This command makes a virtual machine(vm0) with two 
cores CPU, and with a display resolution of 800 by 600 
that can be accessed via VNC at: 0.0.0.0:5900. The 

fouf wait parameter instructs Bhyve to only boot upon 
the initiation of a VNC connection, simplifying the 
installation of operating systems that require immediate 
keyboard input. This can be removed for post-installation 
use. The xhci,tablet parameter provides precise cursor 
synchronization when using VNC, but it is not supported 
by FreeBSD. 


-H Yields the virtual CPU thread when a HLT 
instruction is detected. If this option is not specified, 
virtual CPUs will use 100% of a host CPU. 


-w Ignores accesses to unimplemented Model 
Specific Registers (MSRs). This is intended for 
debugging purposes. 


OPNsense 


~ a 
all ~ 


6. Connect to VM with VNC client 


# vncviewer 192.168.1.1:5900 


In VNC Client screen, you can see what happening. Also, 
mouse are supported. | prefer to use “tightvnc” with my 
hypervisor IP as “192.168.1.1”. 


lé@ Installation process: 


« Configure console - The default configuration should 
be fine for most occasions. 


- Select task - The Quick/Easy Install option should be 
fine for most occasions. For installations on embedded 
systems or systems with minimal disk space, choose 
Custom Installation and do not create a swap slice. 
Proceed with default settings. 


For better performance under virtual environment, 
disable all off-loading settings in 
System->Settings->Networking As you can see, 
OPNsense has very beautiful GUI that lets you control 
every single aspect of the firewall. 


- Are you SURE? - When proceeding OPNsense, will be 
installed on the first hard disk in the system. 


¢- Reboot - The system is now installed and needs to be 
rebooted to continue with configuration. 


0 €) Dis NarGware Checksum onload 
Initial configuration 0 €) Disable hardware TCP seement 
After installation the system will prompt you for the Py nis : tan 
interface assignment. If you ignore this, default settings i 
are applied. Installation ends with the login prompt. By 
default, you have to log in to enter the console. Conclusion 
Welcome message OPNsense is very easy to use on your virtual 
infrastructure. With UEFI support, you can install 
*** Welcome to OPNsense [OPNsense TOs%2209 OPNsense on a modern mainboard. 
(amd64/OpenSSL) on OPNsense * * * 
Useful Links 


https://docs.opnsense.org/manual/virtuals.html 


http://in4dbsd.com/page/FreeBSD 
WAN (em1)—-> 


LAN (em0) -> v4: 192.168.1.1/24 


About the Author 
FreeBSD/10.1 (OPNsense.localdomain) (ttyvO) 
Abdorrahman Homaei has been 
working as a software developer 
since 2000. He used FreeBSD for 
more than ten years. He became 
involved with the meetBSD dot ir 
A user can login to the console menu with his and performed serious trainings 
credentials. The default credentials after a fresh install on FreeBSD. He is starting his own company In 


i - F ” February 2017. You can visit his site to view his 
are username “root” and password “opnsense”. ; 
curriculum vitae: http://in4bsd.com 


login: 


OPNsense Mandatory Configuration 
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Kill a Long Running Process In 
Unix 


How To - Kill a long running process in Unix. 
http://www. ivishal.me 


Vishal Lambe is a tech blogger, author, part-time 
cartoonist, caricaturist and a voracious reader. 
He practices software engineering for a living. 
Moreover, he is a PMI Certified Associate in 
Project Management and has authored two 


books. 
A UNIX process runs in the background and keeps on The next step is to use the ‘kill’ command along with the 
performing the allocated task. However, when the PID of the process you wish to kill. You can specify the 
process runs for a long time, wait for some other ‘kill’ command to be non-maskable. Using -9 with the 
resource or get stuck in deadlock, it continuously ‘kill’ command makes it non-maskable. 
consumes memory. At such times, we may want to 
release the memory and other resources by killing such $ kill -9 
processes. 

Suppose you have a long running process - ‘grep’ in 

To kill a particular process, we need to determine its PID, Unix which you desire to purge or kill. You'll first need to 
ie. Process ID. This can be done using the 'ps' find out the PID of this process. 


command. A 'ps' command takes the snapshot of the 
memory when it runs and lists all the running process 
statistics. This is the very reason for including itself in the 
list. 


dev@pb456-5878:/app/data/vishal> ps 
PIDTTY TIME CMD 
1983 pts/44 00:00:00 more 


$ ps 
2635 pts/44 00:00:00 vi 
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6521 pts/44 00:00:00 more 1983 pts/44 00:00:00 more 
9622 pts/44 00:00:00 ps 2635 pts/44 00:00:00 vi 
12458 pts/44 00:00:00 more 6521 pts/44 00:00:00 more 
12605 pts/44 00:00:00 man 9622 pts/44 00:00:00 ps 
12618 pts/44 00:00:00 sh 12458 pts/44 00:00:00 more 
12627 pts/44 00:00:00 less 12605 pts/44 00:00:00 man 
13084 pts/44 00:00:00 cat 12618 pts/44 00:00:00 sh 
13161 pts/44 00:00:00 more 12627 pts/44 00:00:00 less 
15732 pts/44 00:00:00 more 13084 pts/44 00:00:00 cat 
15933 pts/44 00:00:00 more 13161 pts/44 00:00:00 more 
16603 pts/44 00:00:00 more 15732 pts/44 00:00:00 more 
1/444 pts/44 00:00:00 grep 15933 pts/44 00:00:00 more 
17930 pts/44 00:00:00 more 16603 pts/44 00:00:00 more 
19905 pts/44 00:00:00 more 17930 pts/44 00:00:00 more 
20264 pts/44 00:00:00 more 19905 pts/44 00:00:00 more 
21976 pts/44 00:00:00 more 20264 pts/44 00:00:00 more 
2/540 pts/44 00:00:01 bash 21976 pts/44 00:00:00 more 
31061 pts/44 00:00:00 ksh 27540 pts/44 00:00:01 bash 
32137 pts/44 00:00:00 more 31061 pts/44 00:00:00 ksh 


Now, use the below command to kill the ‘grep’ process. 32137 pts/44 00:00:00 more 


dev@pb456-5878:/app/data/vishal> kill -9 17444 You can see in the above list that ‘grep’ is not present. 


[7] Killed grep garantia (wad: 
dev@pb456-5878:/app/data/vishal) 


(wd now: dev@pb456-58 78:/app/data/vishal) 


You can verify the successful purge of the ‘grep’ process 
by issuing the ‘ps' command again. 


dev@pb456-5878:/app/data/vishal> ps 


PIDTTY TIME CMD 
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ABOUT THE AUTHOR 


Interview with 
Vishal Lambe 


Can you tell our readers about yourself and your 
blog? 


|am a data-warehouse professional and a part-time 


blogger. | work with Unix, Informatica, SQL, Hive and Git. 


My favorite personality is RMS. | am the author of book - 
The Gita Of Programming - Lord Krisha's Teachings on 
the ethics of Programming. 


| blog @ www.ivishal.me 
How you first got involved in blogging? 


| started blogging during my college days. Thereafter, | 
got more inclined towards writing on Unix. In general, 
Unix has numerous applications in ETL, databases and 
Data warehousing.. This is where my job becomes a 
sub-set of my hobby! 


What’s the best thing a blogger can give to his 
readers? 


Giving what the readers want. Understanding reader’s 
appetite and publishing timely articles is the key toa 
successful blog. 


Everyone has a favorite/least favorite post. Name 
yours and why? 


My popular Unix post is "less vs more vs vi". All posts 
are close to my heart, | really cannot think of a least 
favorite one. 


http://www. ivishal.me/2014/08/unix-terminal-hanged-her 
e-what-you-need.html 


What do you think what makes Unix so beloved by 
programmers? 


Because of its simplicity. "UNIX is user-friendly; it just 
chooses its friends." - Andreas Bogk 


Like a good Bob Dylan song, Unix grows on you over a 
period. You'll get attached to it. 


44 


Although it may at first seem troublesome, most people 
have found that command line operation becomes quite 
easy, and even somewhat intuitive, with practice. Unix 
CLI is the most important feature of Unix and loved by 
most of the programmers. 


What Is your advice to anyone who wants to advance 
their UNIX knowledge? 


First, know your basics. Do not jump to internal Unix 
complexities directly. Master the command line and you 
will save a lot of time. 


Unix takes its own sweet time to settle. Assuming that 
you are sufficiently motivated and have good study 
habits, plenty of excellent resources are available online 
as well as offline for learning Unix. You can learn at your 
own pace. Becoming a true Linux guru can take years of 
study and experience. 


What is your favorite OS and why? 


For personal computing, | prefer FreeBSD. Before being 
introduced to BSD flavors, | liked Linux Mint. Your 
personal favorite depends a lot on your taste and usage. 


What is the future of UNIX in general or your 
favourite OS? What do you think? 


Unix has left no industry untouched. | work in Finance 
domain and my personal experience over the years Is 
that no application is complete without the elegance of 
Unix. Be it legacy applications or a complex interface 
between multiple applications. Unix is an architect’s first 
choice for reliability and sustainability due its backward 
compatibility. 


Do you have any specific goals for the rest of this 
year? 


My 2017 goal is to build interesting applications in Spark 
and Python. 


Performance and 
Reliability is critical 


¥ ~ ‘ 
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Download syslog-ng Premium Edition 
product evaluation here 


Attend to a free logging tech webinar here 


BalaBit 


IT Security 


www.balabit.com 


syslog-ng log server 


The world's first High-Speed Reliable Logging™ technology 


HIGH-SPEED RELIABLE LOGGING 


=m above 500 000 messages per second 


= zero message loss due to the 
Reliable Log Transfer Protocol™ 


= trusted log transfer and storage 


= 

= - 
—— 
The High-Speec gging’™’ a d Reliable eye E sterec me) j = IT Security. 


Shell From vi 


vi is a good example of a tool that interacts openly and easily with the Unix shell 


https://sanctum.geek.nz 


Tom Ryder is a systems administrator and programmer living in New Zealand. On his blog he posts articles on systems administration 
and programming, particularly where it relates to his interests in Unix, GNU/Linux, shell scripting, C, Perl, Vim, Git, or whatever else 
takes his interest from a technical bent. A favorite topic is using command-line tools effectively and efficiently. 


A good sign of a philosophically sound interactive Unix tool 
is the facilities it offers for interacting with the filesystem 
and the shell: specifically, how easily can you run file 
operations and/or shell commands with reference to data 
within the tool? The more straightforward this is, the more 
likely the tool will fit neatly into a terminal-driven Unix 
workflow. 


If all else fails, you could always suspend the task with 
Ctrl+Z to drop to a shell, but it’s helpful if the tool shows 
more deference to the shell than that; tt means you can use 
and (even more importantly) write tools to manipulate the 
data in the program in whatever languages you choose, 
rather than being forced to use any kind of heretical internal 
scripting language, or worse, an over-engineered API. 


vi is a good example of a tool that interacts openly and 
easily with the Unix shell, allowing you to pass open buffers 
as streams of text transparently to classic filter and text 
processing tools. In the case of Vim, it’s particularly useful 
to get to Know these, because in many cases they allow 
you to avoid painful Vimscript, and to do things your way, 
without having to learn an ad-hoc language or to rely on 
plugins. This was touched on briefly in the “Editing” article 
of the Unix as IDE series. 


Choosing your shell 


By default, vi will use the value of your SHELL environment 
variable as the shell in which your commands will be run. In 
most cases, this is probably what you want, but it might 
pay to check before you start: 


‘set shell? 


lf you’re using Bash, and this prints /bin/bash, you’re good to 
go, and you'll be able to use Bash-specific features or 
builtins such as [[ comfortably in your command lines if you 
wish. 


Running commands 
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You can run a shell command from vi with the ! ex 
command. This is inherited from the same behaviour in ed. 
A good example would be to read a manual page in the 
same terminal window without exiting or Suspending vi: 


‘Iman grep 
Or to build your project: 
‘Imake 


You'll find that exclamation point prefix ! shows up in the 
context of running external commands pretty consistently 
In vi. 


You will probably probably need to press Enter afterwards 
to return to vi. This is to allow you to read any output 
remaining on your screen. 


Of course, that’s not the only way to do it; you may prefer 
to drop to a forked shell with :sh, or Suspend viwith “Z to get 
back to the original shell, resuming it later with fg. 


You can refer to the current buffer’s filename in the 
command with %, but be aware that this may cause 
escaping problems for files with special characters in their 
names: 


‘!Igcc % -o foo 


If you want a literal %, you will need to escape it with a 
backslash: 


‘!grep \% .vimrc 


The same applies for the # character, for the a/ternate 
buffer. 


‘!Igcc # -o bar 
‘!grep \# .vimrc 
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And for the ! character, which expands to the previous 
command: 


‘lecho |! 
‘lecho \! 


You can try to work around special characters for these 
expansions by single-quoting them: 


‘!gcc '%' -o foo 
‘!gcc '#' -o bar 


But that’s still imperfect for files with apostrophes in their 
names. In Vim (but not vi) you can do this: 


‘exe "!gcc " . shellescape(expand("%")) . " -o foo" 
The Vim help for this is at :help :!. 


Reading the output of commands into a buffer 


Also inherited from ed Is reading the output of commands 
into a buffer, which is done by giving a command starting 
with ! as the argument to :r: 


‘rr !grep vim .vimrc 


This will insert the output of the command after the current 
line position in the buffer; it works in the same way as 
reading in a file directly. 


You can add a line number prefix to :r to place the output 
after that line number: 


Or !grep vim .vimrc 


To put the output at the very start of the file, a line number 
of 0 works: 


Or !grep vim .vimrc 


And for the very end of the file, you’d use $: 
‘$r Igrep vim .vimre 


Note that redirections work fine, too, if you want to prevent 
stderr from being written to your buffer in the case of errors: 


‘$r Igrep vim .vimre 2>>vim_errorlog 
Writing buffer text into a command 


To run a command with standard input coming from text in 
your buffer, but without deleting it or writing the output back 
into your buffer, you can provide a! command as an 
argument to :w. Again, this behaviour is inherited from ed. 


4/ 


By default, the whole buffer is written to the command; you 
might initially expect that only the current line would be 
written, but this makes sense if you consider the usual 
behaviour of w when writing directly to a file. 


Given a file with a first column full of numbers: 


304 Donald Trump 
227 Hillary Clinton 
3 Colin Powell 
Spotted Eagle 
Ron Paul 

John Kasich 
Bernie Sanders 


Ne ee ee 


We could calculate and view (but not save) the sum of the 
first column with awk(1), to see the expected value of 538 
printed to the terminal: 


w lawk '{sum+=$1}END{print sum}' 


We could limit the operation to the faithless electoral votes 
by specifying a line range: 


°3,$w lawk '{sum+=$1}END{print sum}' 


You can also give a range of just ., if you only want to write 
out the current line. 


In Vim, if you’re using visual mode, pressing : while you 
have some text selected will automatically add the '<,'> 
range marks for you, and you can write out the rest of the 
commana: 


:'<,'>w !grep Bernie 


Note that this writes every /ine of your selection to the 
command, not merely the characters you have selected. It’s 
more intuitive to use visual line mode (Shift+V) if you take 
this approach. 


Filtering text 


lf you want to replace text in your buffer by filtering it 
through a command, you can do this by providing a range 
to the ! command: 


:1,2!tr ‘[:lower:]' '[:upper:]' 


This example would capitalise the letters in the first two 
lines of the buffer, passing them as input to the command 
and replacing them with the command’s output. 


304 DONALD TRUMP 
22? HILLARY CLINTON 
3 Colin Powell 

1 Spotted Eagle 

1 Ron Paul 


1 John Kasich 
1 Bernie Sanders 


Note that the number of lines passed as input need not 
match the number of lines of output. The length of the 
buffer can change. Note also that by default any stderr is 
included; you may want to redirect that away. 


You can specify the entire file for such a filter with %: 
-Yltr ‘[:lower:]' '[:upper:]' 


As before, the current line must be explicitly specified with . 
if you want to use only that as input, otherwise you’ll just be 
running the command with no buffer interaction at all, per 
the first heading of this article: 


‘tr '[:lower:]' ‘[:upper:]' 


You can also use ! as a motion rather than an ex command 
on a range of lines, by pressing ! in normal mode and then a 
motion (w, 3w, }, etc) to select all the lines you want to pass 
through the filter. Doubling it (!!) filters the current line, in a 
similar way to the yy and dd shortcuts, and you can provide 
a numeric prefix (e.g. 3!!) to specify a number of lines from 
the current line. 


This is an example of a general approach that will work with 
any POSIX-compliant version of vi. In Vim, you have the gU 
command available to coerce text to uppercase, but this is 
not available in vanilla vi; the best you have is the tilde 
command ~ to toggle the case of the character under the 
cursor. tr(1), however, is specified by POSIX—including the 
locale-aware transformation—so you are much more likely to 
find it works on any modern Unix system. 


ABOUT THE AUTHOR 


Interview with Tom Ryder 


Can you tell our readers about yourself and your blog? 


I'm a systems administrator with some web development 
experience who caught the Unix bug in my late teens. | live in 
provincial New Zealand, and work for an internet services 
provider, mostly in the care and feeding of our Unix-like 
servers. | don't have much computer science education. My 
blog [Arabesque][1] focusses mostly on command-line tools 
for Unix-like operating systems, a topic that fascinates me. 
I've been writing it since 2012. 


How you first got involved with blogging? 


| started the blog mostly to practise technical writing, and to 
formalise my own knowledge. At the time, | was linking some 
of the posts to relevant sections on Reddit. As | found that 
more people were reading the articles, especially the content 
on Vim, | began to put more effort into making the posts more 
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lf you end up needing such a command during editing a lot, 
you could make a generic command for your private bindir, 
say named upp for uppercase, that forces all of its input to 
uppercase: 


#!/bin/sh 
cat -- "${@:--}" | 
tr ‘[:lower:]' '[:upper:]' 


Once saved somewhere in $PATH and made executable, 
this would allow you simply to write the following to apply 
the filter to the entire buffer: 


‘%lupp 


The main takeaway from this is that the scripts you use with 
your editor don’t have to be in shell. You might prefer Awk: 


#!/usr/bin/awk -f 
{ print toupper($0) } 


Or Perl: 


#!/usr/bin/env perl 
print uc while <>; 


Or Python, or Ruby, or Rust, or... 

Incidentally, this “filtering” feature is where vi's heritage from 
ed ends as far as external commands are concerned. In 
POSIX ed, there isn’t a way to filter buffer text through a 
command in one hit. It’s not too hard to emulate it with a 
temporary file, though, using all the syntax learned above: 


*1,2w !upp > tmp 
*1,2d 

“Or tmp 

“Irm tmp 


generally useful. I'd found many good blogs about computers 
and was mostly attempting to emulate the things | liked about 
them. A lot of the posts boil down to explaining and 
demonstrating things in a more discursive way than the 
manual pages do. Not that we shouldn't be reading manual 
pages, but a good tutorial for an initial approach to a program 
never hurts, if only to orient you toward one possible way of 
thinking about any given problem you have, or to get a better 
idea of the features available to you in a program. 


What's the best thing a blogger can give to his readers? 


| don't really Know how to answer that--the posts would be a 
lot more popular if | did! There are definitely some standards | 
try to meet in writing, but | don't know of a magic bullet. | write 
about the things that interest me on the Unix command line, in 
the hopes that others will be interested too. Each post is really 
just casting an idea out into the void. They're not really 
marketed or targeted. I'm glad if people read them and find 
them useful, but I'd probably still be writing the same content 
if | only had four or five readers a day. 


Meet UNIX Bloggers 


Everyone has a favorite/least favorite post. Name yours 
and why? 


I'm fond of the "Vim Koans" page. | enjoy playing with the idea 
of computers as a kind of modern mysticism, and I'm 
fascinated with Eastern esotericism in general, though I'm 
more interested in Vedantic Hinduism than Buddhism. The 
inspiration came from ["The Rootless Root" or "The Unix 
Koans of Master Foo"][2] on Eric Raymond's website. 


The concrete techniques and tools of computing are generally 
not too hard to describe in plain language, given a sufficient 
technical vocabulary, but anything to do with a philosophy of 
computing or an approach to design or good general practice 
can be a lot harder to explain. A lot of the time you can really 
only grasp it by example and demonstration. The masters in 
zen stories often worked the same way, demonstrating an 
abstract concept in concrete terms, and frequently with a 
sense of humour. 


What do you think what makes Unix so beloved by 
programmers? 


Unix has a spirit of trusting the user to know what they are 
doing, and inplacing a high value on freedom. This isn't 
necessarily freedom in the pure ethical sense that Richard 
Stallman might advocate, staunchly enforced by legal 
structures; it's more of a creative kind of freedom, providing 
you with the tools without trying to prescribe or even to 
predict exactly how they're going to be used. That approach 
contributes to an ethos of the system staying out of your way: 
setting up as few artificial roadblocks as possible to getting 
what you want done. The idea of open source is an extension 
of this, which explains why Unix-like operating systems fit so 
neatly into its mould--while there are certainly ethical and 
commercial benefits to the use and production of open source 
software, for a lot of technical people it really more boils down 
to removing artificial barriers to solving problems. To 
programmers who are used to dealing with many abstractions 
and trying to solve complex problems by a "divide and 
conquer" strategy, that approach has a lot of appeal, 
especially where it extends to “toolsmithing*--providing you 
with a means to customise and create your own tools, 
whether a patch or extension to your editor that you use every 
day, or a throwaway Awk metaprogram creating a few hundred 
lines of shell script to solve a one-off task. 


What is your advice to anyone who wants to advance their 
UNIX knowledge? 


Just find something you love to do (especially if it's creating 
something), and do it with your favourite flavour of Unix, 
whether that's programming, writing, typesetting, desktop 
customization, or any of the hundreds of other things for 
which there are so many time-tested tools available to you. 
Don't sweat too much whether you're approaching learning 
"the right way"; read what others in the community are doing 
with the tools, try them out, and see how they fit with the way 
you like to work. Discard anything that doesn't. As soon as 
you find something you don't like that's inefficient, or wonder 
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if there's a better way to do something, or want something to 
run faster or more automatically--or even if you're just Curious 
as to why a program runs a certain way--explore that. Trust 
your instincts! As you develop in whatever you're doing, you'll 
find yourself learning more and more about the toolset and 
trying different tools, and before you know it you'll be wanting 
to *customise”* those tools, and then eventually to write your 
own. From that point, everything clicks. With documentation 
and source code everywhere, you realise you can learn 
whatever you need to about the system whenever you need 
to, and that all it takes is motivation and time. Understanding 
the system will stop seeming like the preserve of a priesthood 
of genius computer scientists. You won't feel the need to 
emulate anybody, nor to prove yourself, and you'll truly make 
your sense of expertise your own. It's a great feeling, and is 
worth striving for. This is, | think, the best way to learn 
anything new in depth, not just computers--find a way to link it 
with something you already care about and love to do. That 
way, it doesn't even really feel like work. 


What is your favourite OS and why? 


| run Debian GNU/Linux both at home and at work, and | tinker 
a lot with the major BSD systems in virtual machines, 
particularly to test code for compatibility. I'm also fond of 
OpenBSD. | am not much of a zealot in terms of choosing 
which Unix to use, though, generally--whatever gets the job 
done and works reliably is probably all right with me. 


What is the future of UNIX in general or your favourite OS? 
What do you think? 


| used to be interested in the idea of spreading Linux usage to 
the general population and making it accessible and "ready for 
the desktop", but | don't worry about that much now; | don't 
think it's important to have mass-market appeal for the 
system. | think rather than focussing on mass-market appeal 
which would probably just adulterate what makes Unix unique, 
advocacy should instead focus on reaching out to the kind of 
person who finds this approach to computing valuable and 
worthwhile, because they will always be out there. While | 
have no idea what the future holds for Unix as a system 
specifically, I'm pretty confident that the ideas that made it 
successful will endure permanently, as will the community that 
values those ideals. 


Do you have any specific goals for the rest of this year? 
Fnord! You are not cleared for this information! 


There's a big queue of article topics in the pipeline. We'll see 
how many actually get published... 


[1]: https://sanctum.geek.nz/arabesque/ 
[2]: http://catb.org/esr/writings/unix-koans/ 


Interview with Benjamin Wright 


Benjamin Wright is a practicing attorney based in Dallas, Texas, focusing on 
technology law. He serves as a senior instructor at the SANS Institute, teaching a 
5-day course titled 'Law of Data Security and Investigations.' Through that 
course, Mr. Wright has taught thousands of students across the world. 
Moreover, he chairs SANS Institute's annual Data Breach Summit and advises 
diverse clients, both in the US and outside the US, on privacy, electronic 


commerce and data security law. 


How you first got involved in trainings? 


I am a lawyer in private practice. My background is business law, which means that I 
have much experience writing and interpreting contracts and policy documents. I 


have spent most of my career focused on technology law. 


In the 1990s, I wrote books on the law of electronic commerce. It was a pioneering 
topic in those days. People were beginning to do business electronically and without 
paper. The replacement of paper raised questions about evidence, records and signatures. 

My work in electronic commerce attracted clients and many opportunities to speak and teach. 

My experience in teaching led to a relationship with the SANS institute in 2002. My knowledge of electronic commerce law matched 


well with the concerns of information security and digital forensics. 


My relationship with the SANS Institute has been excellent in my career. By teaching at SANS, I meet some of the smartest people in 
the world of information security and forensics, and they teach me tips, stories and ideas. This not only makes me a better lawyer for 


my clients but also improves my course. 


What?’s the best thing an instructor can give to his students? 


One of my greatest objectives is to help professionals in information security and forensics be cautious in their choice of words as 
they write reports and policies. Words matter. But often, people with a technical background don't have a lot of training on how to 
choose their words carefully. Increasingly, however, the words they write into emails and reports and policies have legal implications. 


Those words can be reviewed by legal authorities such as courts or regulators. 


Additionally, one of my goals as an instructor 1s to help professionals evaluate the quality of digital evidence, whether it’s an evidence 
of a data breach or forensic evidence used in some other kind of investigation. In my experience, many people leap to conclusions 
about digital evidence without carefully evaluating the quality of the evidence. It is easier to see a minor trace of information and 
interpret it in the wrong way. Some people, for example, are very eager to interpret a security incident as resulting in an actual 
"breach" of data security. However much incidents happen all the time, not every incident is a breach of security. The evidence from 
an incident must be evaluated carefully and skeptically before anyone reaches a conclusion that something like a data security 


"breach" has occurred. 
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Interview 


Could you tell more about OSINT Law. What is legal? 


I teach professionals how to read the legal terms and conditions that apply as they collect any evidence or open source intelligence. 
When a professional goes into a website such as Facebook, legal terms and conditions apply. Surprisingly, those terms and conditions 
may limit the ability of the professional to look for information or capture evidence. Similarly, when a professional opens a mobile 
app and uses it to capture evidence about some other user, an end user license agreement (EULA) applies. Many forensic professionals 
lack the training necessary to read and understand end user license agreements as they apply to their ability to gather evidence. An end 


user license agreement may forbid or restrict the capture of evidence. 
What is the most difficult issue in InfoSec law today? 


One of the most difficult topics in information security law today is how to judge whether an organization has done enough to protect 


the information it controls. 


Some authorities suggest that an organization is expected to apply "reasonable controls" to protect data. However, there is much 
confusion about what constitutes "reasonable controls" in any given situation. And in truth, information security is so difficult that 
even if you have reasonable controls, you can still be hacked. Some regulators and legal authorities seem to take the position that if 
you've been hacked, then you are necessarily unreasonable and you must be held liable. So in other words, there's no way an 


organization will legally win. 


My argument is that, if an organization applies "professional attention" to the protection of data, then it should not be liable if it 1s 


hacked or the data is breached. 


It's like going to a doctor. If you have a disease and go to the doctor, the doctor cannot guarantee that you will get cured. But if you die 
of the disease, the doctor will not necessarily be held liable by law. So long as the doctor applied "professional attention" to your 


disease, then the doctor is deemed to have done what was necessary and should be held blameless 1n the law. 


My suggestion is a similar standard should apply to organizations that hold sensitive data like credit card numbers. If they have 
professionals working on the problem of protecting data, then that should be enough. They should not then be held liable if they are 
hacked, or the data is breached. 


Do you have any specific goals for the rest of this year? 


One of my primary goals this year 1s to lead a successful two-day conference on data breaches. We at the SANS Institute call it the 


"Data Breach Summit," which will be held in Chicago in September. 


Last year, we held the first data breach Summit, which was a one day event. It was such a success that we decided to extend it to two 
days. We are looking forward to pull together the most knowledgeable people across the world to participate intensively in the 
two-day conversation about how to respond to cyber crises and data breaches. We have requested for an input from government, law 


enforcement, cyber insurance companies, as well as privacy officers and Chief Information Security Officers. 
More information is available at these locations: 


http://benjaminwright.us 
https://plus.google.com/u/0/+Benjamin Wright] 
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Column 


infrastructure Management 


Dear Readers, 


As with many businesses, big or small, private or parastatal 
corporations, all have a framework (INFRASTRUCTURE) 
which establishes key features that defies the basic structures 
and fundamentals that make every organization what it is 
today. It’s understanding why you are there and what is is 
required of you to make the task at hand manageable. In our 
world, which I refer to as the outer web of information on 
technology which encircles us to a cyber-life, surrounds us with 
many components, policies, equipment, data and human 
resources. Reaching overall effectiveness makes you 
comprehend more about your purpose as a whole no matter the 
role you play or the task at hand. Every employee should not 
only understand their job criteria but also the impact they have 
and how efficient and valuable they are to the company. This 
doesn’t only apply when they are executing their task at hand 
but also understanding what is it they have to do. Upon 
realizing this, they'll be able to figure out how their 
infrastructure comes to play. I.e. fundamentally establishing a 
set frame work that enables the company understand all it 
takes to be successful in this IT world. 

Maintaining stability of a workstation environment gives you 
an understanding on how (MANAGEMENT) of key features 
sets that framework to an everyday protocol, ensuring 
facilitation and teamwork. If you love IT as much as I do, then 
what you do best will be a step towards a better business. 
Don’t complicate what you already know. Make it simple as 
showing up for work and making sure your job criteria is 
fulfilled. However, you must understand your job 
requirements. Surprisingly, understanding what’s at your desk 
may not be all that you need to know. It’s worth to know how 
you can improve it, how your company works and what else to 
be done to maintain the best practices. The work environment 
should regularly establish work-related meetings; in case of 
any updates or changes which have to be made, they are 
applied in unity. As it may be, there is a possibility of most 
general areas in "IT" that may or may not be out-sourced, the 
primary reason for protecting sensitive data. The one thing 
which will always be considered as long as there is "IT" is cyber 
security. Cyber security is fairly new. It does not guarantee you 
or your business will always be secured. And importantly, it is 
not if you get breeched but when your system will face 
cyber-attack. You can surf the web for the meaning of 
"Infrastructure Management". In doing so, you will get work 
environment guidelines, protocol and procedures. The main 
goal behind this is hopefully to get you to understand what 
needs to be addressed, the steps to be taken, and basically, to 
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get everyone one the same page. Additionally, in case you don’t 
know, they strive to make sure you know who to go to. 
However, I'm taking a different approach. I’m looking at this in 
a "how would I do it way" to be able to acknowledge certain 
things. Thus, I will start by addressing some issues. If you are 
in this business and depending on the size of the company, 
whether it’s HID cards, proximity or whatever the case 
regardless, know what they understand by these things. I’m 
not saying you should stop what you are doing, learn coding 
and master the seven layers to be a cyber-warrior. If you are at 
the top of management in your business or company, you 
should have a very skilled network systems administrator or a 
cyber-security pro. He or she must be well aware of his 
mandate. However, you must still prove your worthiness for 
the company. Earlier, I mentioned the key cards, though I 
won't get into much detail about them. Strive to know what 
they are and how they work. Usually, big companies spend 
money on highly secured systems., but others can be breeched 
from a few feet away. Take necessary steps to avoid having risk 
of being breeched. When you go for lunch, be careful where you 
keep your card. You can all agree to a secured type of storage 
with a safe guard like signal blocking during an employee 
meeting.. Discuss the essence of short keys in locking your 
computer if needed to to reduce the probability of breech. Even 
with company email, there are better alternatives that can keep 
employees’ conversations private. So, why does the 
Government and other officials use print email? Print email 
can be easily destroyed and it’s about time you adopted this 
form of communication. There are different ways to shred 
documents.In destroying confidential documents, always 
ensure no information can be traced, even if it means throwing 
water in the shredded material. 

A small thing when applied correctly can help out in a big way. 
With software like ransom ware, you can exploit its features to 
block access to your firm’s infrastructure. Let’s hope during 
your meeting, there is a secured way of backing up data. Also, 
learning to unplug connected devices can save you down time. 
Mostly, it’s the things we can easily control but we are naive to 
see. It’s worth noting that the most highly secured systems are 
not on-line. So, there is hope after all and I hope you can do it! 
Every opinion counts. Speak up; don’t just listen to the one 
who seem to belittle your idea of securing your system.. Thank 
you and good luck in ensuring a better infrastructure 
management. 


Best regards, 
Randy Ramirez 
(cyberlife25) 


~e 


Rack-mount networking server 
Designed for BSD and Linux Systems 


Server 


DESIGNEDFOR DESIGNEDFOR DESIGNEDFOR DESIGNEDFOR 


Up to 5.5Gbit/s 


N , : 
FreeBSD routing power! 


Designed. Certified. Supported 


6 NICs w/ Intel igb(4) driver w/ bypass BGP & OSPF routing 

Hand-picked server chipsets Firewall & UTM Security Appliances 
Netmap Ready (FreeBSD & pfSense) Intrusion Detection & WAF 

Up to 14 Gigabit expansion ports CDN & Web Cache / Proxy 

Up to 4x10GbE SFP+ expansion E-mail Server & SMTP Filtering 


contactus@serveru.us | www.serveru.us 
8001 NW 64th St. Miami, LF 33166 | +1 (305) 421-9956 


: —— 


a FreeNAS Flash ©: “ . 


NOT ANYMORE! 


IXSYSTEMS DELIVERS A FLASH ARRAY 
FOR UNDER $10,000 


A high performance all-flash 
array at the cost of spinning disk. 


10TB of all-flash storage for less than $10,000 Perfectly sulted for Virtualization, Databases, 
Unifies SAN/NAS for block and file workloads Analytics, HPC, and M&E 


Runs FreeNAS, the world's #1 software-defined Performance-oriented design provides 
storage solution maximum throughput/IOPs and lowest latency 


Maximizes ROI via high-density SSD 


OpenZFS ensures data integrity oa : 
technology and inline data reduction 


Scales to 1IOOTB in 2U 


The all-tlash datacenter is now within reach. Deploy a FreeNAS Certified 
Flash array today from ixsystems and take advantage of all the benefits 
flash delivers. 


For more information, visit today. systems 


